Docs

Private Modules and Packages

Last modified on June 20, 2025 • 6 min read • 1,071 words
Share via

Configure tokens to access private Hugo modules and npm packages, both locally and as part of CI/CD.

Local Development   Hugo Modules   Npm Packages   CI/CD Workflows   Hugo Modules   Npm Packages   Example GitHub Action  

  Warning

The information on this page is preliminary and subject to change. Please raise an issue  when the provided information is unclear or incorrect.

Local Development  

Use a combination of environment variables and credential management to safely configure your tokens. The authentication is slightly different for private Hugo modules and npm packages.

Hugo Modules  

Hinode provides several themes and modules as a private Hugo module. You will need a fine-grained personal access token with read access to the contents and metadata of those private Hugo modules. The following two sections explain two available options on how to configure access to private Hugo modules.

Using GitHub Credential Manager (Preferred)  

GitHub provides a CLI  to enable authentication to private and public repositories. When using the command gh auth, the CLI tool opens a new browser window, where you can authenticate yourself with GitHub. The login procedure supports both login/password and tokens. By default, this procedure supports one account per domain only. Run the following command to instruct git to use the full HTTP path of the repository instead.

git config --global credential.useHttpPath true
git config --global credential.useHttpPath true

From now on, git will trigger a authentication request when accessing a new repository. The GitHub CLI will store this information in the credential manager provided by your Operating System.

Using Git Configuration (Alternative)  

As an alternative, you can also use a git configuration that links a Personal Access Token to a specific domain using the insteadOf directive. For example, you can use the following command to configure a token to access the private module github.com/gethinode/mod-bookshop. Replace <PAT> with the actual token value. The value for <ACCOUNT> can be anything (but is mandatory). Git stores the token as plain text in ~/.gitconfig, which is less secure than the preferred approach.

git config --global \
url."https://<ACCOUNT>:<PAT>@github.com/gethinode/mod-bookshop".insteadOf \
"https://github.com/gethinode/mod-bookshop"
git config --global \
url."https://<ACCOUNT>:<PAT>@github.com/gethinode/mod-bookshop".insteadOf \
"https://github.com/gethinode/mod-bookshop"

To update an existing token, you need to manually remove the existing entry in ~/.gitconfig and rerun the git config command. Alternatively, you can update the existing token in the ~/.gitconfig file yourself.

Npm Packages  

Hinode publishes several utilities as npm packages on npm.pkg.github.com. The GitHub package registry requires authentication for both public and private packages. We will use a personal access token (classic) with read:packages privileges to access them. By using a credential manager and command substitution, we avoid storing the sensitive information in-memory or as plain text in a file.

Follow the instructions for your operating system below.

  Note

macOS supports multiple shells, including bash and Z shell (zsh). Adjust the commands pending your preferred shell. You can check your current shell with echo $SHELL.

Add the npm token to your keychain with the following command, providing your token (twice) when prompted for the password:

security add-generic-password -a "$USER" -s 'NPM_TOKEN' -w

Export the token as environment variable by adding the following line to ~/.bashrc or ~/.zshrc:

export NPM_TOKEN=$(security find-generic-password -s 'NPM_TOKEN' -w)

Open a new bash or zsh terminal to load the environment variable.

  Note

The following commands have been tested with Ubuntu and bash. You may need to change the package manager or commands when using a different Linux distribution or shell.

Install secret-tool to safely store your npm token:

sudo apt-get install libsecret-tools

Store the npm token with the following command, providing your token when prompted for the password:

secret-tool store --label="Hinode npm token" provider npm profile hinode key-pair secret

Export the token as environment variable by adding the following line to ~/.bashrc:

export NPM_TOKEN=$(secret-tool lookup provider npm profile hinode key-pair secret)

Open a new bash terminal to load the environment variable.

We will now use a npm configuration file to set up the authentication token. Create a new file .npmrc in the root folder of your local repository with the following content:

@gethinode:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NPM_TOKEN}

npm will expand the variable ${NPM_TOKEN}, which has been defined as environment variable using command substitution in the previous step.

CI/CD Workflows  

You can use repository secrets to safely store the tokens in a GitHub Action. By using variable substitution, you can inject the tokens into the configuration files for Hugo modules and npm packages.

Hugo Modules  

  Caution

Avoid using the .netrc file for local development, as this intervenes with your current git authentication. Use the method described in Local Development instead.

Generate a .netrc file for the current user of the GitHub runner to configure access to a private Hugo module. Configure HUGO_TOKEN as repository secret. Then use the following step prior to the Hugo build step to generate (or overwrite) the ~/.npmrc file. Go, the underlying module framework used by Hugo, will use this token for all private modules hosted on github.com.

# Generate a .netrc file with the substituted HUGO_TOKEN secret for the current user
- name: Use GitHub token
    run: echo "machine github.com login ci password ${{ secrets.HUGO_TOKEN }}" > ~/.netrc

- name: Build main site
    run: npm run build

Npm Packages  

You can use an .npmrc file with the authentication token to configure the access to a private npm package. Configure NPM_TOKEN as repository secret. Then use the following step prior to the npm installation step to generate (or overwrite) the .npmrc file. npm will use this token for all packages owned by the @gethinode organization, hosted on the GitHub package registry npm.pkg.github.com.

- name: Update .npmrc
    run: |
    echo "@gethinode:registry=https://npm.pkg.github.com/" > .npmrc
    echo "//npm.pkg.github.com/:_authToken=${{ secrets.NPM_TOKEN }}" >> .npmrc

- name: Perform clean install of npm
    run: npm i
    shell: bash

Example GitHub Action  

The following example action builds a Hinode website that uses both private npm packages and Hugo modules. Deploy this action to your .github folder as usual.

name: Build
on:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name: Check out repository
      uses: actions/checkout@v4

    - name: Set up Node.js
      uses: actions/setup-node@v4
      with:
        node-version: lts/*
        cache: 'npm'
        cache-dependency-path: '**/package-lock.json'

    # Generate a local .npmrc file with the substituted NPM_TOKEN secret
    - name: Update .npmrc
      run: |
        echo "@gethinode:registry=https://npm.pkg.github.com/" > .npmrc
        echo "//npm.pkg.github.com/:_authToken=${{ secrets.NPM_TOKEN }}" >> .npmrc

    - name: Perform clean install of npm
      run: npm i
      shell: bash

    # Generate a .netrc file with the substituted HUGO_TOKEN secret for the current user
    - name: Use GitHub token
      run: echo "machine github.com login ci password ${{ secrets.HUGO_TOKEN }}" > ~/.netrc

    - name: Build main site
      run: npm run build
On this page: