I am trying to understand how to include build time secrets when using the new deploy ui and GitHub Integration–specifically access to a private npm repo by using an .npmrc file with a GitHub token.
I have read this article about passing built time secrets using an ephemeral build machine: Build Secrets · Fly Docs. I also read through through the fly.toml reference to see if there was an option to specify an image for the builder but missed it if there is such an option. The specific use case is that I have .npmrc file that contains secrets (access to private repo) that shouldn’t be included in the application image.
My current approach is to copy this file to the application image but omit the layers the contain it–but the .npmrc is not committed to GitHub (since it has a the secret) and so is not available when a build is triggered by fly.io or on push.
Dockerfile
...
# Throw-away build stage to reduce size of final image
FROM base as build
# Install packages needed to build node modules
RUN apt-get update -qq && \
apt-get install --no-install-recommends -y build-essential node-gyp pkg-config python-is-python3
# Install node modules
COPY --link .npmrc package-lock.json package.json ./
RUN npm ci --include=dev --verbose
# Copy application code
COPY . .
# Build application
RUN npm run build
# Remove development dependencies
RUN npm prune --omit=dev
# Final stage for app image
FROM base
# Copy built application
COPY --from=build /app /app
...
Doing this from GitHub Actions should be relatively straightforward since GitHub already creates the .npmrc and will add the GitHub token automatically. But since fly.io offers its own integration, I was wondering if there isn’t a way to deal with this natively in fly.io.