# codeartifact-login

> CodeArtifact login

Assume the CodeArtifact read role via OIDC, fetch an authorization token, and write ~/.netrc so uv/pip authenticate to the private index for the rest of the job. Pass the CODEARTIFACT_* repo variables (set by infra). The calling job needs `permissions: id-token: write`. Run after setup-python, before uv-sync.

## Inputs

| Input | Required | Default | Description |
|---|---|---|---|
| `role-arn` | yes | — | CODEARTIFACT_READ_ROLE_ARN -- the IAM role to assume via OIDC. |
| `region` | yes | — | CODEARTIFACT_REGION. |
| `domain` | yes | — | CODEARTIFACT_DOMAIN. |
| `domain-owner` | yes | — | CODEARTIFACT_DOMAIN_OWNER (the AWS account id that owns the domain). |
| `npm-repository-url` | no | — | CODEARTIFACT_NPM_REPOSITORY_URL. When set, also write ~/.npmrc so npm/yarn resolve the @fsh scope from CodeArtifact (npm/yarn don't read netrc). Leave empty for python-only jobs. |

## Usage

```yaml
- uses: actions/checkout@v6
- uses: FSHTech/github-actions/codeartifact-login@v1
  with:
    role-arn: ...
    region: ...
    domain: ...
    domain-owner: ...
```