Fetching private GitHub repos from a Docker container
Amidst our efforts in containerizing Paperchain’s microservices, we ran into the issue of accessing our private github repos from the docker container. We came across 2 solutions on how to go about this
1. via SSH
Using the SSH method, we need to
- Add your ssh key to the container with the right permissions
- Setup the configuration in .gitconfig to use the SSH instead of HTTPS
- Then skip host verification for git
FROM golang:alpine# Copy SSH key for git private repos
ADD .ssh/id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa# Use git with SSH instead of https
RUN echo “[url \”git@github.com:\”]\n\tinsteadOf = https://github.com/" >> /root/.gitconfig# Skip Host verification for git
RUN echo “StrictHostKeyChecking no “ > /root/.ssh/config
While this SSH method is largely popular, the fact that it relied on copying over the private key from an OS specific file location, just wasn’t the most streamlined setup for us. There had to be a better way and there was. We can use GitHub’s access token!
2. via HTTPS with Access Token method
In order to use HTTPS via the access token method, we need to first create the GitHub access token, which you can find at Your Profile → Settings → Personal Access Tokens → Generate New Token
Selecting the very first scope block allows your token to access to private repos
Now we can use the token in the Dockerfile, in a single line! Note that you don’t have to use a password with the token in the url.
RUN git config --global url.”https://{token}:@github.com/".insteadOf “https://github.com/"You can take things further with arguments and environment variables.
However, the downside of this approach that there needs to be a token generated by every user wishing to build image. It would probably make things easier if GitHub allowed access tokens with stricter scopes on the organization level. Travis CI recommends creating a dedicated CI user account under the organization account for increased security.
Heroku
Our team has used Heroku for initial builds, prior to containerization and our move to GCP. Heroku’s dyno configuration also requires the access token to be setup as a config variable with key GO_GIT_CRED__HTTPS__GITHUB__COM
Hope these notes help other engineers who may encounter this. Follow Paperchain to keep up with our technical updates and blogs. Cheers!
