Module Reference
CodeArtifact — Package Registry
Private npm and PyPI package registries with GitHub Actions OIDC authentication.
Production
Directory: global/codeartifact/
Files: main.tf, iam.tf, outputs.tf, variables.tf
What It Manages
A centralized private package registry for internal Ontopix packages, with GitHub Actions OIDC roles for CI/CD access.
Domain
Domain: ontopix
Repositories
| Repository | Type | Purpose |
|---|---|---|
npm | Internal | Internal npm packages |
npm-upstream | Proxy | Upstream proxy to public npmjs |
pypi | Internal | Internal Python packages |
pypi-upstream | Proxy | Upstream proxy to public PyPI |
Internal repositories are configured with upstream proxies, so they serve both private packages and cached public packages.
OIDC Roles
| Role | Name | Tier | Permissions | Restricted To |
|---|---|---|---|---|
| Read | GitHubActions-CodeArtifact-ReadRole | CI | Read packages | Any branch, all ontopix/* repos |
| Publish | GitHubActions-CodeArtifact-PublishRole | Deploy + Release | Read + publish | Deploy branches (master/pre/dev) and tags (refs/tags/*), all ontopix/* repos |
IAM Policies
| Policy | Key Permissions |
|---|---|
CodeArtifactReadAccess | GetAuthorizationToken, ReadFromRepository, ListPackages, DescribePackageVersion |
CodeArtifactWriteAccess | All read permissions + PublishPackageVersion, PutPackageMetadata |
How Teams Use It
CodeArtifact is fully centralized — unlike ECR, teams do not create their own repositories. Both npm and PyPI repositories are shared across the organization.
For detailed setup instructions, see the CodeArtifact + GitHub Actions pattern in the engineering handbook.