Fetch private GitHub dependency in GitHub Action with Access Token

My projects are built/pushed as docker containers (for uniform deployment/handling with apps written in other languages). Everything worked fine, until I added a private repository from our organisation as a dependency.

After having done this in a previous job, I cannot get it to work now :sweat_smile:

User + Access Token

Previously, we simply had a “machine user” (normal user account created for the organization) and we then used their username + personal access token.

In our Dockerfile, we’d just replace any access to GitHub with basic auth using the service users credentials, something like this:

# Dockerfile

[container setup / install dependencies]

ARG GITHUB_USERNAME
ARG GITHUB_TOKEN
RUN git config --global url."https://$GITHUB_USERNAME:$GITHUB_TOKEN@github.com".insteadOf "https://github.com"

[mix commands]

Now, when passing the GITHUB_USERNAME and GITHUB_TOKEN as arguments to the docker build container, I get the following error:

1.215 remote: Support for password authentication was removed on August 13, 2021.

I am pretty sure I have used this method til summer 23, so I am bit confused.

GitHub Action Parameter

We use the GitHub - docker/build-push-action: GitHub Action to build and push Docker images with Buildx action to build the container. It has a parameter “GIT_AUTH_TOKEN” which states:

If you want to authenticate against another private repository, you have to use a secret named GIT_AUTH_TOKEN to be able to authenticate against it with Buildx:

however, this lead to:

fatal: could not read Username for ‘https://github.com’: No such device or address

which then lead me to fatal: could not read Username for 'https://github.com': No such device or address · Issue #1112 · docker/build-push-action · GitHub which brought me back to

1.304 remote: Support for password authentication was removed on August 13, 2021.

How?

How do you authorize for private repositories in docker during mix deps.get?

Got it.

For anyone wondering how to pull private repositories during mix.compile using the docker-build-push GitHub action:

Create Access Token

Create a Personal Access Token (Sign in to GitHub · GitHub ; Navigation: Profile > Settings > Developer Settings > Personal Access Tokens > Fine Grained Tokens). It should be able to read repositories you have access to.

Consider using a “machine user”, as in a normal user account that was created just for the purpose of holding your tokens, if you are an organisation.

Add token as Secret

Create a secret in your organisation or repository, e.g. CI_ACCESS_TOKEN. (Repo: Settings > Secrets and Variables > Actions). Put in your previously created token. I made the mistake of adding it to an “environment” by accident at first and wondered why it was not working as intended.

Set up workflow file

In your github workflow file:

   - name: Build and push
     uses: docker/build-push-action@v5
     with:
       context: .
       file: ./Dockerfile
       push: true
       tags: ...
       secrets: |
         GIT_AUTH_TOKEN=${{ secrets.CI_ACCESS_TOKEN }}

Dockerfile

in your Dockefile, grab the secret, configure git, get the deps:

RUN --mount=type=secret,id=GIT_AUTH_TOKEN \
 GIT_AUTH_TOKEN=$(cat /run/secrets/GIT_AUTH_TOKEN) \
 && git config --global "url.https://${GIT_AUTH_TOKEN}@github.com.insteadof" "https://github.com" \
 && mix deps.get --only $MIX_ENV
1 Like