Score:0

Add private GitHub repository "the right way" in dockerfile (w composer.json)

ph flag

I'm trying to add my private GitHub repository, through the composer.json-file, while building a docker image. But I can't make it work no matter what I try.

I want the most simple approach possible, it doesn't have to be the most secure but at least acceptable. I'm hoping it's possible to do with a "Personal Access Token".

Here's my attempt;

FROM php:8-fpm

# Set working directory
WORKDIR /var/www

# Set args
ARG GIT_ACCESS_TOKEN
ARG GIT_PRIVATE_KEY
ARG GIT_HASH
ENV GIT_HASH=$GIT_HASH

# add credentials on build
#RUN touch ~/.composer/auth.json
RUN mkdir ~/.composer
RUN echo '{"github-oauth":{"github.com": "${GIT_ACCESS_TOKEN}"}}' > ~/.composer/auth.json

# Install dependencies
RUN apt-get update && apt-get install -y \
    nano \
    build-essential \
    default-mysql-client \
    locales \
    zip \
    libzip-dev \
    unzip \
    git \
    curl \
    libssl-dev \
    libonig-dev

# Install extensions
RUN docker-php-ext-install opcache pdo_mysql mbstring zip ftp mysqli bcmath

# GitHub access to LCMS
RUN git config --global url."https://${GIT_ACCESS_TOKEN}@github.com".insteadOf "ssh://[email protected]"

RUN mkdir -p ~/.ssh/ && \
    echo ${GIT_ACCESS_TOKEN} > ~/.ssh/id_rsa && \
    chmod -R 600 ~/.ssh/ && \
    ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts

# Install composer
# Copy composer.lock and composer.json
COPY ./web/composer.json /var/www/
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer

# Install vendor dependencies through composer
RUN composer install

# Install opache settings for php
COPY ./web/nginx/php.ini $PHP_INI_DIR/conf.d/opcache.ini

# Copy existing application directory contents
COPY ./web /var/www

# Clean up
RUN apt-get remove -y git && apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Expose port 9000 and start php-fpm server
EXPOSE 9000

I'm always greeted with errors from GitHub. If I run the code above, I get this error;

> [11/14] RUN composer install:                                                                                    
#15 0.196 Do not run Composer as root/super user! See https://getcomposer.org/root for details                      
#15 0.226 No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
#15 0.226 Loading composer repositories with package information
#15 0.877 
#15 0.883                                                                                                                                           
#15 0.883   [RuntimeException]                                                                                                                      
#15 0.883   Failed to execute git clone --mirror -- '[email protected]/xxxxx' '/root/.composer/cache/vcs/git-github.com-xxxxxxx/'  
#15 0.883                                                                                                                                           
#15 0.883   Cloning into bare repository '/root/.composer/cache/vcs/git-github.com-xxxxxxx'...                                             
#15 0.883   Warning: Permanently added the RSA host key for IP address '140.82.121.3' to the list of known hosts.                                   
#15 0.883   Load key "/root/.ssh/id_rsa": invalid format                                                                                            
#15 0.883   [email protected]: Permission denied (publickey).                                                                                          
#15 0.883   fatal: Could not read from remote repository.                                                                                           
#15 0.883                                                                                                                                           
#15 0.883   Please make sure you have the correct access rights                                                                                     
#15 0.883   and the repository exists.

Anyone with suggestions?

in flag
The access token is not an ssh key. It's meant to be used as a password in the http url (read the GitHub documentation). But I'd be more concerned about the fact that the key stays in the image and everybody with access to the image can read it.
in flag
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#using-a-token-on-the-command-line
ph flag
But since my environment is within AWS ecs, am I even able to use ssh-key?
in flag
You are missing the point. You can't use the access token as an SSH key. It's supposed to be used as a password over https.
Score:1
in flag

Your personal access token is not meant to be used as an SSH key, it's a replacement for the your personal GitHub password and can only be used with HTTPS connections.

A working minimal Dockerfile would be:

FROM php:8-fpm

ARG GIT_ACCESS_TOKEN

RUN apt-get update && apt-get install -y git

RUN git clone https://yourusername:${GIT_ACCESS_TOKEN}@github.com/yourusername/yourrepo.git

You can then use the ARG on the build command line:

docker build --build-arg GIT_ACCESS_TOKEN="YOURLONGACCESSTOKEN" .

BUT:

Your access token will be visible to everybody who hast access to your image.

This is noted in the Dockerfile documentation:

Warning:

It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

You should use a multi-stage build or use the newer Build secrets to prevent this.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.