Access private git repos via npm install in a Docker container

Question

I am in the process of setting up a Docker container that will pull private repos from GitHub as part of the process. At the moment I am using an Access Token that I pass from the command line (will change once build gets triggered via Jenkins).

docker build -t my-container --build-arg GITHUB_API_TOKEN=123456 .

# Dockerfile
# Env Vars
ARG GITHUB_API_TOKEN
ENV GITHUB_API_TOKEN=${GITHUB_API_TOKEN}

RUN git clone https://${GITHUB_API_TOKEN}@github.com/org/my-repo

This works fine and seems to be a secure way of doing this? (though need to check the var GITHUB_API_TOKEN only being available at build time)

I am looking to find out how people deal with ssh keys or access tokens when running npm install and dependencies pull from github

"devDependencies": {
  "my-repo": "[email protected]:org/my-repo.git",
  "electron": "^1.7.4"
}

At the moment I cannot pull this repo as I get the error Please make sure you have the correct access rights as I have no ssh keys setup in this container

Answer 1

Use the multi-stage build approach.

Your Dockerfile should look something like this:

FROM alpine/git as base_clone
ARG GITHUB_API_TOKEN
WORKDIR /opt
RUN git clone https://${GITHUB_API_TOKEN}@github.com/org/my-repo

FROM <whatever>
COPY --from=base_clone /opt/my-repo /opt
...
...
...

Build:

docker build -t my-container --build-arg GITHUB_API_TOKEN=123456 .

The Github API Token secret won't be present in the final image.

Answer 2

docker secrets is a thing, but it's only available to containers that are part of a docker swarm. It is meant for handling things like SSH keys. You could do as the documentation suggests and create a swarm of 1 to utilize this feature.

docker-compose also supports secrets, though I haven't used them with compose.