Following the https://circleci.com/blog/publishing-npm-packages-using-circleci-2-0/ manual, it’s possible to define
$npm_TOKEN which is used to publish to NPM.
The job that does it uses:
- run: name: Authenticate with registry command: echo "//registry.npmjs.org/:_authToken=$npm_TOKEN" > ~/repo/.npmrc
But there is a possibility to add a new job, with the following content:
- run: name: Authenticate with registry command: cat ~/repo/.npmrc
which will output the content including secrete token. And CI doesn’t try to handle it (let’s say replace the token with asterisk symbols). Moreover any unregistered user can see this log.
What is the proper way to prevent it?