From ca2e28376a90a8aa96fec08d4d4aa253bdf0ce8b Mon Sep 17 00:00:00 2001
From: Jason Walton <github@lucid.thedreaming.org>
Date: Tue, 10 Sep 2019 13:32:30 -0400
Subject: [PATCH] Example showing how to use this to install private packages
 securely. (#56)

---
 README.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/README.md b/README.md
index e8c00d7e..dec3ecd5 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,24 @@ steps:
     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
+Use private packages:
+```yaml
+steps:
+- uses: actions/checkout@master
+- uses: actions/setup-node@v1
+  with:
+    node-version: '10.x'
+    registry-url: 'https://registry.npmjs.org'
+# Skip post-install scripts here, as a malicious
+# script could steal NODE_AUTH_TOKEN.
+- run: npm install --ignore-scripts
+  env:
+    NODE_AUTH_TOKEN: ${{ secrets.YARN_TOKEN }}
+# `npm rebuild` will run all those post-install scritps for us.
+- run: npm rebuild && npm run prepare --if-present
+```
+
+
 # License
 
 The scripts and documentation in this project are released under the [MIT License](LICENSE)