I have a Node.js package available in public npm repository. Also I set up a build in AWS CodeBuild to run unit tests each time there's a new push into the master branch of package's repository on github.
I'd like to set up automatic invocation of npm publish in the build specification in case if package version increases and all tests pass.
Is it possible to authenticate in npm by invoking npm add-user inside AWS CodeBuild environment without compromising my npm credentials? Right now I'm the only maintainer of the package, but I'm looking for a general solution when the package and the build are maintained by a team.
What are some best practices for handling npm credentials while dealing with AWS CodeBuild?
One way to vend credentials in general with AWS CodeBuild is "EC2 parameter store". AWS CodeBuild supports bringing Parameter Store variables as regular environment variables to your build. You can use that to vend sensitive information like npm and AWS credentials.
Documentation
https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html
https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-syntax