Yeah in the authors example they are writing a .npmrc file but it could also just as easily be outputting the env variable of the secret. Fundamentally if NPM can access the secret in the build that means anyone who can modify the build process can also access the secret.
There are so many vectors of vulnerability: from modifying NPM package.json scripts, to modifying makefiles, to modifying the build scripts, etc that I find the only true solution is to have one public repo that accepts PR's from the public and only does checks like linting and running the tests, but does not have any access to secrets for publish. Ideally the public repo also does not contain your actual publish scripts either, only you as the package owner have access to them, as they are stored in your own private repo.
Then have another private repo that you sync into or an external, fully private build system that keeps the secrets, and does the real NPM publish. I think it is just far too dangerous to do the NPM publish from the public facing repo. I assume the author is well aware of this too, but just wanted to include a warning in case anyone else hasn't run into this or thought of it yet.
There are so many vectors of vulnerability: from modifying NPM package.json scripts, to modifying makefiles, to modifying the build scripts, etc that I find the only true solution is to have one public repo that accepts PR's from the public and only does checks like linting and running the tests, but does not have any access to secrets for publish. Ideally the public repo also does not contain your actual publish scripts either, only you as the package owner have access to them, as they are stored in your own private repo.
Then have another private repo that you sync into or an external, fully private build system that keeps the secrets, and does the real NPM publish. I think it is just far too dangerous to do the NPM publish from the public facing repo. I assume the author is well aware of this too, but just wanted to include a warning in case anyone else hasn't run into this or thought of it yet.