How authenticate a CI runner to be able to install packages from a private GitLab NPM registry?

Follow up on my comment on NPM registry authentication tied to specific user , but repeating some here. Until we get working Job tokens, I’m fine with publishing from the devs computer, from which they will be accurately authed. Even with that workaround, I’m unsure how to give my other projects, that use this private package, access. The only way I know is to set a npmrc with my own credentials. I considered adding a custom deploy user, but then I’d have to pay for another seat… any other options here?