2

I'm trying to add my private GitHub repository, through the composer.json-file, while building a docker image. But I can't make it work no matter what I try.

I want the most simple approach possible, it doesn't have to be the most secure but at least acceptable. I'm hoping it's possible to do with a "Personal Access Token".

Here's my attempt;

FROM php:8-fpm

Set working directory


WORKDIR /var/www


Set args


ARG GIT_ACCESS_TOKEN
ARG GIT_PRIVATE_KEY
ARG GIT_HASH
ENV GIT_HASH=$GIT_HASH


add credentials on build


#RUN touch ~/.composer/auth.json
RUN mkdir ~/.composer
RUN echo '{"github-oauth":{"github.com": "${GIT_ACCESS_TOKEN}"}}' > ~/.composer/auth.json


Install dependencies


RUN apt-get update && apt-get install -y 

    nano 

    build-essential 

    default-mysql-client 

    locales 

    zip 

    libzip-dev 

    unzip 

    git 

    curl 

    libssl-dev 

    libonig-dev


Install extensions


RUN docker-php-ext-install opcache pdo_mysql mbstring zip ftp mysqli bcmath


GitHub access to LCMS


RUN git config --global url."https://${GIT_ACCESS_TOKEN}@github.com".insteadOf "ssh://git@github.com"


RUN mkdir -p ~/.ssh/ && 

    echo ${GIT_ACCESS_TOKEN} > ~/.ssh/id_rsa && 

    chmod -R 600 ~/.ssh/ && 

    ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts


Install composer


Copy composer.lock and composer.json


COPY ./web/composer.json /var/www/
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer


Install vendor dependencies through composer


RUN composer install


Install opache settings for php


COPY ./web/nginx/php.ini $PHP_INI_DIR/conf.d/opcache.ini


Copy existing application directory contents


COPY ./web /var/www


Clean up


RUN apt-get remove -y git && apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*


Expose port 9000 and start php-fpm server


EXPOSE 9000

I'm always greeted with errors from GitHub. If I run the code above, I get this error;

> [11/14] RUN composer install:                                                                                    
#15 0.196 Do not run Composer as root/super user! See https://getcomposer.org/root for details                      
#15 0.226 No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
#15 0.226 Loading composer repositories with package information
#15 0.877 
#15 0.883                                                                                                                                           
#15 0.883   [RuntimeException]                                                                                                                      
#15 0.883   Failed to execute git clone --mirror -- 'git@github.xxxxx/xxxxx' '/root/.composer/cache/vcs/git-github.com-xxxxxxx/'  
#15 0.883                                                                                                                                           
#15 0.883   Cloning into bare repository '/root/.composer/cache/vcs/git-github.com-xxxxxxx'...                                             
#15 0.883   Warning: Permanently added the RSA host key for IP address '140.82.121.3' to the list of known hosts.                                   
#15 0.883   Load key "/root/.ssh/id_rsa": invalid format                                                                                            
#15 0.883   git@github.com: Permission denied (publickey).                                                                                          
#15 0.883   fatal: Could not read from remote repository.                                                                                           
#15 0.883                                                                                                                                           
#15 0.883   Please make sure you have the correct access rights                                                                                     
#15 0.883   and the repository exists.

Anyone with suggestions?

Paul
  • 3,278
Oakleaf
  • 121

1 Answers1

2

Your personal access token is not meant to be used as an SSH key, it's a replacement for the your personal GitHub password and can only be used with HTTPS connections.

A working minimal Dockerfile would be:

FROM php:8-fpm

ARG GIT_ACCESS_TOKEN


RUN apt-get update && apt-get install -y git


RUN git clone https://yourusername:${GIT_ACCESS_TOKEN}@github.com/yourusername/yourrepo.git

You can then use the ARG on the build command line:

docker build --build-arg GIT_ACCESS_TOKEN="YOURLONGACCESSTOKEN" .

BUT:

Your access token will be visible to everybody who hast access to your image.

This is noted in the Dockerfile documentation:

Warning:

It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

You should use a multi-stage build or use the newer Build secrets to prevent this.

Gerald Schneider
  • 26,582
  • 8
  • 65
  • 97