I've come across similar situations in the past, and I would usually either do one of these:

1. Put the entire contents of the .npmrc file into a GitHub actions secret, then print it to a new .npmrc file in your action.
2. Store the token and other info as a secret, then create a new .npmrc file and inject the secrets into the file.

If you were to go the second route, you would probably have something like this in your GitHub actions workflow:

# ...

jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Publish
        run: |
          # These use the variables defined in step's env
          echo "registry=${NPM_REGISTRY}" > .npmrc
          echo "registry/:_authToken=${NPM_TOKEN}" >> .npmrc

          npm publish
        env:  # Secrets from GitHub are injected below
          NPM_REGISTRY: ${{ secrets.NPM_REGISTRY }} 
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

In your GitHub repository, define NPM_REGISTRY and NPM_TOKEN as secrets (docs) by going to Settings > Security > Actions > Secrets.

Resources

• https://docs.npmjs.com/cli/v8/configuring-npm/npmrc
• https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions
• https://andreas-sommarstrom.medium.com/installing-packages-from-private-npm-registry-with-github-actions-61d4f6328a91