Fetch private GitHub dependency in GitHub Action with Access Token

Questions / Help
1

My projects are built/pushed as docker containers (for uniform deployment/handling with apps written in other languages). Everything worked fine, until I added a private repository from our organisation as a dependency.

After having done this in a previous job, I cannot get it to work now :sweat_smile:

User + Access Token

Previously, we simply had a ā€œmachine userā€ (normal user account created for the organization) and we then used their username + personal access token.

In our Dockerfile, weā€™d just replace any access to GitHub with basic auth using the service users credentials, something like this:

# Dockerfile

[container setup / install dependencies]

ARG GITHUB_USERNAME
ARG GITHUB_TOKEN
RUN git config --global url."https://$GITHUB_USERNAME:$GITHUB_TOKEN@github.com".insteadOf "https://github.com"

[mix commands]

Now, when passing the GITHUB_USERNAME and GITHUB_TOKEN as arguments to the docker build container, I get the following error:

1.215 remote: Support for password authentication was removed on August 13, 2021.

I am pretty sure I have used this method til summer 23, so I am bit confused.

GitHub Action Parameter

We use the GitHub - docker/build-push-action: GitHub Action to build and push Docker images with Buildx action to build the container. It has a parameter ā€œGIT_AUTH_TOKENā€ which states:

If you want to authenticate against another private repository, you have to use a secret named GIT_AUTH_TOKEN to be able to authenticate against it with Buildx:

however, this lead to:

fatal: could not read Username for ā€˜https://github.comā€™: No such device or address

which then lead me to fatal: could not read Username for 'https://github.com': No such device or address Ā· Issue #1112 Ā· docker/build-push-action Ā· GitHub which brought me back to

1.304 remote: Support for password authentication was removed on August 13, 2021.

How?

How do you authorize for private repositories in docker during mix deps.get?

2

Got it.

For anyone wondering how to pull private repositories during mix.compile using the docker-build-push GitHub action:

Create Access Token

Create a Personal Access Token (Sign in to GitHub Ā· GitHub ; Navigation: Profile > Settings > Developer Settings > Personal Access Tokens > Fine Grained Tokens). It should be able to read repositories you have access to.

Consider using a ā€œmachine userā€, as in a normal user account that was created just for the purpose of holding your tokens, if you are an organisation.

Add token as Secret

Create a secret in your organisation or repository, e.g. CI_ACCESS_TOKEN. (Repo: Settings > Secrets and Variables > Actions). Put in your previously created token. I made the mistake of adding it to an ā€œenvironmentā€ by accident at first and wondered why it was not working as intended.

Set up workflow file

In your github workflow file:

   - name: Build and push
     uses: docker/build-push-action@v5
     with:
       context: .
       file: ./Dockerfile
       push: true
       tags: ...
       secrets: |
         GIT_AUTH_TOKEN=${{ secrets.CI_ACCESS_TOKEN }}

Dockerfile

in your Dockefile, grab the secret, configure git, get the deps:

RUN --mount=type=secret,id=GIT_AUTH_TOKEN \
 GIT_AUTH_TOKEN=$(cat /run/secrets/GIT_AUTH_TOKEN) \
 && git config --global "url.https://${GIT_AUTH_TOKEN}@github.com.insteadof" "https://github.com" \
 && mix deps.get --only $MIX_ENV
1 Like
3

There is an alternate solution if you prefer SSH over HTTPS.

Check out the following action for instructions on how to set it up.