I use GitHub instead of CodeCommit for many reasons, and I also use GitHub Npm Registry, for private packages. It took me some time to understand how I can use them in CodeBuild, so I want to share it with you.
Disclaimer, this is maybe not the best (or even correct way) to do this, but this how I managed to solve the problem for me.
To do this, the secure way I will have to use some magic :) I am using SecretsManager to store a GitHub Personal Token securely, for later using it in the pipelines as an environment variable. We will accomplish this in four easy steps.
1. GitHub - Create token
First, we have to to create a private personal token in Github, you will do that under your settings and Developer Settings. The key needs only access to read:packages.
Save it and make sure to copy the key that is generated for next step.
2. AWS Secrets Manager - Add token
Now we have to add the key to Secrets Manager in AWS.
Review the details and save. It will result in a key looking like this:
3. Configure NPM
This was the tricky part for me, because I want to use npm login when I am developing on my personal machine, and do not want to share the key with other people. so i had to create two .npmrc files, on for local development (.npmrc) and one for CodeBuild (.npmrc_ci).
Make sure to change @loupeen to your account/organisation.
| @loupeen:registry=https://npm.pkg.github.com | |
| always-auth=true |
| @loupeen:registry=https://npm.pkg.github.com | |
| //npm.pkg.github.com/:_authToken=${GITHUB_ACCESS_TOKEN} | |
| always-auth=true |
4. Pipeline
Last thing is to configure our pipelines synth and build step.
First we are getting the secret at line 1, after that we are using it in synth (line 10–17) and build (line 20–27) steps, and last thing we have to do is to use the correct .npmrc file, and that is on line 32.
CodePipeline example
| const GHSecret = Secret.fromSecretNameV2(scope, 'GHSecret', 'github/read_registry'); | |
| const codeStarArn = ''; | |
| const input = CodePipelineSource.connection(props.repositoryName, props.repositoryBranch, { | |
| connectionArn: codeStarArn | |
| }); | |
| return new CodePipeline(scope, `Pipeline`, { | |
| synthCodeBuildDefaults: { | |
| buildEnvironment: { | |
| environmentVariables: { | |
| GITHUB_ACCESS_TOKEN: { | |
| value: `${GHSecret.secretName}:GITHUB_ACCESS_TOKEN`, | |
| type: BuildEnvironmentVariableType.SECRETS_MANAGER, | |
| }, | |
| }, | |
| }, | |
| }, | |
| codeBuildDefaults: { | |
| buildEnvironment: { | |
| environmentVariables: { | |
| GITHUB_ACCESS_TOKEN: { | |
| value: `${GHSecret.secretName}:GITHUB_ACCESS_TOKEN`, | |
| type: BuildEnvironmentVariableType.SECRETS_MANAGER, | |
| }, | |
| }, | |
| }, | |
| }, | |
| synth: new ShellStep('Synth', { | |
| input, | |
| commands: [ | |
| 'mv -f .npmrc_ci .npmrc 2>/dev/null; true', | |
| 'npm ci', | |
| 'npm run build', | |
| 'npx cdk synth', | |
| ], | |
| }), | |
| }); |
And that is it, hoping it makes some sense.
Top comments (0)