This is a setup for npm, docker images and react app (This doesn't matter i guess) In this post, we are going to be building a secure pipeline. When we say secure, we mean a) No PAT token is saved in source code or as a insecure variable. No credential is leak We also separate the pipeline and allow it to evolve independently. b) No token is written into docker image. User wil not be able to use docker inspect / docker history to obtain PAT token. In a nutshell, we use Azure Devops and build machine to install npm packages. Then copy all the files, assets and node_modules into docker for next steps to build it. I know some of you might say, we want a full containerized build. This is a good way too, if you think about it. you don't have to generate user .npmrc file and somehow maintain that in variable group. It just make the steps so much simpler. This is the Azure Devops build pipeline setup Let's look at the dockerfile setup