NPM package registry documentation recommends a practice that is insecure and can lead to leaked access tokens

Proposal

We had an incident where a team member leaked their personal access token while trying to learn how to work with packages in GitLab. They committed their personal access token to a public repository and someone from outside GitLab spotted the token and (thankfully) reported it to us.

I think that can be partially attributed to the fact that we recommend doing that in the documentation: https://docs.gitlab.com/ee/user/packages/npm_registry/#authenticate-with-a-ci-job-token

The way it's written right now, we suggest using a .npmrc file with the hardcoded _authToken and present using CI variables as an alternative. I think we should document how to do it with CI variables first and mention the .npmrc way as potential alternative for working locally but also mention that this file should never be committed with a hardcoded _authToken in it.