David A. Windham
david
/
daw
1
0
Fork 0
Files Issues 0 Pull Requests 0
Browse Source

chore: scaffold FA Pro .npmrc (env-var token, no secret committed)

Committed .npmrc sets the @fortawesome registry + reads the auth token from
${FONTAWESOME_NPM_TOKEN} at install time (no token in the file). Token lives in
the shell env (~/.zprofile), never in git. .gitignore covers .env/.env.*/.npmrc.local
as a safety net. Plan note updated to the env-var approach.
windhamdavid 1 week ago
parent
434dc0421b
commit
c6d05a3a2f
3 changed files with 19 additions and 2 deletions
Split View Show Diff Stats
  1. 6 0
      .gitignore
  2. 9 0
      .npmrc
  3. 4 2
      _claude/notes/upgrade-plan.md

+ 6 - 0
.gitignore
View File 

@@ -7,6 +7,12 @@ npm-debug.log
 
 node_modules/
 
 build/
 
 
+# secrets — the FA Pro token lives in the env (FONTAWESOME_NPM_TOKEN), never a file.
 
+# .npmrc IS committed (env-var ref, no token); ignore any local token/env files.
 
+.env
 
+.env.*
 
+.npmrc.local
 
+
 
 .idea/
 
 .vscode/

+ 9 - 0
.npmrc
View File 

@@ -0,0 +1,9 @@
 
+; Font Awesome Pro registry — committed, and contains NO secret.
 
+; The auth token is read from the FONTAWESOME_NPM_TOKEN environment variable at
 
+; install time. Set it OUTSIDE the repo, e.g. in ~/.zprofile:
 
+;
 
+;   export FONTAWESOME_NPM_TOKEN="your-fa-pro-token"
 
+;
 
+; Do NOT paste the raw token into this file.
 
+@fortawesome:registry=https://npm.fontawesome.com/
 
+//npm.fontawesome.com/:_authToken=${FONTAWESOME_NPM_TOKEN}

+ 4 - 2
_claude/notes/upgrade-plan.md
View File 

@@ -120,8 +120,10 @@ font + ~2000 CSS rules + the npm dep all gone). `v4-style.min.css` **472 → 393
 
   (`@fortawesome/pro-*-svg-icons` / a kit) from FA's authed registry — **not** the webfont —
 
   and feed them through the sprite. Swapping sets later = change the package + regenerate.
 
   Replaces FA-font **and** FontMfizz.
 
-  - **Secret:** FA Pro npm needs a token in `.npmrc` → **gitignore `.npmrc`**; commit a
 
-    `.npmrc.example` with the registry line (no token).
 
+  - **Secret (DONE 2026-06-21):** committed **`.npmrc`** holds the registry + an env-var
 
+    ref `_authToken=${FONTAWESOME_NPM_TOKEN}` (no token in the file, so it's safe to commit);
 
+    the actual token lives in the shell env (`export FONTAWESOME_NPM_TOKEN=…` in `~/.zprofile`).
 
+    `.gitignore` covers `.env`/`.env.*`/`.npmrc.local` as a safety net.
 
 - **One-off icons** (the 8 header, the couple FontMfizz spots) stay hand-inlined SVG — no dep.
 
 - **Text/display fonts:** use **`@fontsource/*`** (npm — versioned woff2 + `@font-face`) for fonts
 
   that have it; self-host woff2 for niche ones (Computer Modern). Declare all in `theme.json`