'PIp install from git repo inside docker build with github actions

I'm working on segregation of common modules into dedicated repositories for our github organization. Use pip install from git repo in Dockerfile to install shared modules developed inside the organization

RUN pip3 install -r requirements.txt

where git repo dependency referenced like

git+https://github.com/org/repo.git@master

The faced issue is that I can't make pip3 install to authenticate against organisation private repository when running as github action with pip3 install inside Dockerfile. I want to avoid creating private access token (PAT) for one of the dev as want to be user-agnostic and don't maintain tokens for leaving team members. Tried to use ${{ secrets.GITHUB_TOKEN }} but with deeper reading realized that the token has access to repository where github action is initiated (link)

The token's permissions are limited to the repository that contains your workflow

Is there a way to make pip3 install working in github actions without PAT?

Error getting in one of many iterations:

Collecting git+https://****@github.com/org/repo.git@master (from -r requirements.txt (line 17))
  Cloning https://****@github.com/org/repo.git (to revision master) to /tmp/pip-req-build-mnge3zvd
  Running command git clone -q 'https://****@github.com/org/repo.git' /tmp/pip-req-build-mnge3zvd
  fatal: could not read Password for 'https://${GITHUB_TOKEN}@github.com': No such device or address
WARNING: Discarding git+https://****@github.com/org/repo.git@master. Command errored out with exit status 128: git clone -q 'https://****@github.com/org/repo.git' /tmp/pip-req-build-mnge3zvd Check the logs for full command output.
ERROR: Command errored out with exit status 128: git clone -q 'https://****@github.com/org/repo.git' /tmp/pip-req-build-mnge3zvd Check the logs for full command output.


Solution 1:[1]

I suggest you using ssh like this:

In your dockerfile:

RUN --mount=type=ssh,id=default pip install -r requirements.txt

In your requirements.txt, change to

git+ssh://[email protected]/org/repo.git@master

Prepare a ssh private key associated with your github account in the repo Settings/Actions/Secrets, with name SSH_KEY (It would be better using a dedicate ssh key)

In your action defining yaml, create a step

- name: Prepare Key
  uses: webfactory/[email protected]
  with:
    ssh-private-key: ${{ secrets.SSH_KEY }}

This will export an env variable SSH_AUTH_SOCK for later use

Next action step, use the SSH_AUTH_SOCK

- name: Build and push
    id: docker_build
    uses: docker/build-push-action@v2
    with:
      ssh: |
        default=${{ env.SSH_AUTH_SOCK }}

reference: https://github.com/webfactory/ssh-agent#using-the-dockerbuild-push-action-action

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Andy Huang