When running yarn, yarn.lock file is generated with private token from bash

Try to set up npm as described in Gem Fury documentation. The crucial parts are setting always-auth to true and using npm login

If this doesn't help then you can use Git pre-commit hooks that will remove credentials from yarn.lock when changes are commited to Git repository.

We solved this problem recently, but the Gemfury documentation doesn't really make it obvious. If you need to pull or push in your CI build then I don't think you should use npm login as that will modify your home .npmrc, which isn't very helpful. We found that all you need to do is change your project's .npmrc to use the shared organization account. This way you can have your project's .npmrc version controlled so your developers and your CI server can read from the same registry URL while keeping your lock file token-free:

@MY_ORG:registry=https://npm-proxy.fury.io/MY_ORG/
always-auth=true
//npm-proxy.fury.io/MY_ORG/:_authToken=${GEMFURY_TOKEN}