Update after some intense testing on our builds, for anyone having problems getting up and running with this, and in respect of the original question:
- Edit build definition => options => "Allow scripts to access OATH token"
When enabled, and VSTS encounters a .npmrc file, it will run the npm command
vsts-npm-auth
for you, which means the .npmrc in source control only have to contain
registry=https://YOUR_DOMAIN.pkgs.visualstudio.com/_packaging/FEEDNAME/npm/registry
always-auth=true
This goes for builds that uses the VSTS Npm task, be it publish
or install
Given that you set the environment variable NPM_TOKEN for the VSTS Build that is running, the npm publish
command is able to substitute this in your .npmrc file.
http://blog.npmjs.org/post/118393368555/deploying-with-npm-private-modules
So your .npmrc that you check into source control should look like
registry=https://YOUR_DOMAIN.pkgs.visualstudio.com/_packaging/FEEDNAME/npm/registry
always-auth=true
//YOUR_DOMAIN.pkgs.visualstudio.com/_packaging//npm/:_authToken=${NPM_TOKEN}
A token can be produced by either running the vsts-npm-auth command
https://www.npmjs.com/package/vsts-npm-auth
Note that on windows, it needs the full paths sometimes for both target and source rc files (where -T: write-token-to-this-target-file), e.g
vsts-npm-auth -config c:\mysrc\.npmrc -T c:\mysrc\.npmrc -V Detailed
or, it can be generated in the "Connect to feed" dialog inside your (web interface) VSTS account under "Packaging".
Also note that, if you'd like to publish this automated and continuously, you must also find a way to bump the version number, something like
npm version patch --force -m "Published new version"
Take a look at this thread for more
update package.json version automatically
VSTS does checkout HEAD commit id by default, so it's not straight forward to just run the npm version
command and push back to git since one is in detached state.