How to keep secret your Font Awesome Pro token in public GitHub actions

Configure your GitHub actions to keep secret your Font Awesome Pro token or NPM private tokens

Nov 27, 2019

#devops #webdev #github #fontawesome

Photo by Serkan Turk on Unsplash

Yesterday Julien Renaux published a series of interesting new blog posts. In one of these he notably displayed, step by step, how to deploy StencilJS apps with GitHub actions and Firebase hosting.

This tutorial really caught my eye because all applications of our web open source project DeckDeckGo are developed with StencilJS and hosted on Firebase šŸ˜

Of course I couldnā€™t wait that much and I had to give it a try. Because Iā€™ll have to make changes to obfuscate production tokens differently if I use a CI to build our editor for presentations, I thought I could first try out his recipe in the current Ionic React demo application Iā€™m developing for our Meetup next week.

As a result, it just worked seamlessly šŸŽ‰ It worked so well and the setup was so easy, that I thought I could quickly setup another CI deployment for my website too.

Unfortunately it didnā€™t worked out šŸ˜• Even if the technology and stack of my website, build with Gatsby, is somehow really similar to the small app, the build performed by the CI failed:

X Download Artifact 1 Run actions/download-artifact@master 2 with: 3 name: build 4 Download artifact 'build' to: '/home/runner/work/daviddalbusco.com/daviddalbusco.com/build' 5 6

At first, I didnā€™t understood the error. Of course I noticed that some artifacts couldnā€™t be downloaded but I didnā€™t knew what where these and what was the root cause. After a bit I finally remembered that I used to face a similar problem with another CI.

For my website Iā€™m using Font Awesome and notably the @fortawesome/pro-light-svg-icons icons which could only be used if my related Font Awesome Pro NPM token is configured. While the documentation explains clearly how to configure the token locally, they donā€™t (or at least I didnā€™t found out at first) provide an example which displays how to hide it from a public repository. Therefore, the purpose of this blog post.

Configure the NPM registry

The Font Awesome NPM token could either be set up globally or per project. The method we need to build our project with a CI is the last one, ā€œper projectā€. For that purpose, we create a new file .npmrc in the root of your project . To the contrary of the documentation, we only add one line in the file respectively we only add the reference to the Font Awesome packet manager. We deliberately ignore to specify anything regarding our token.

@fortawesome:registry=https://npm.fontawesome.com/

Set up a new secret in GitHub

As we didnā€™t provided the token in the previous file, we will have to provide it to the GitHub action in a different way otherwise it will still not be able to download the dependency. Fortunately GitHub already provide an option to keep environment variables secret. Therefore we make the most of this option and we create a new secret for our Font Awesome NPM token. For example letā€™s call it FONTAWESOME_NPM_AUTH_TOKEN.

Set up a GitHub secret for the Font Awesome NPM token

Use the secret in our CI

If you already followed the tutorial of Julien, your CI workflow probably already contains the following to install the dependencies from NPM of your application:

- name: Install Dependencies run: npm ci

This is the root of our problem, as NPM is not aware of the specific registry and token it has to use to download the specific artifact. Therefore we finally are going to resolve the issue by running a command-line, before the installation one, to configure NPM with our secret token.

The pipe (| ) let us specify multiple commands all run in the in the same shell (see documentation).

- name: Install Dependencies run: | npm config set '//npm.fontawesome.com/:_authToken' "${{ secrets.FONTAWESOME_NPM_AUTH_TOKEN }}" npm ci

And voilĆ , our CI should now be able to download the required dependency and therefore build and deploy our project šŸŽ‰

Successful CI, happy CI šŸ˜ŗ

Cherry on the cake šŸ’šŸŽ‚

My website is open source and available on GitHub, check it out to validate the solution with your own eyes šŸ˜‰

To infinity and beyond šŸš€

David