0

I'm trying to add my private GitHub repository, through the composer.json-file, while building a docker image. But I can't make it work no matter what I try.

I want the most simple approach possible, it doesn't have to be the most secure but at least acceptable. I'm hoping it's possible to do with a "Personal Access Token".

Here's my attempt;

FROM php:8-fpm

# Set working directory
WORKDIR /var/www

# Set args
ARG GIT_ACCESS_TOKEN
ARG GIT_PRIVATE_KEY
ARG GIT_HASH
ENV GIT_HASH=$GIT_HASH

# add credentials on build
#RUN touch ~/.composer/auth.json
RUN mkdir ~/.composer
RUN echo '{"github-oauth":{"github.com": "${GIT_ACCESS_TOKEN}"}}' > ~/.composer/auth.json

# Install dependencies
RUN apt-get update && apt-get install -y \
    nano \
    build-essential \
    default-mysql-client \
    locales \
    zip \
    libzip-dev \
    unzip \
    git \
    curl \
    libssl-dev \
    libonig-dev

# Install extensions
RUN docker-php-ext-install opcache pdo_mysql mbstring zip ftp mysqli bcmath

# GitHub access to LCMS
RUN git config --global url."https://${GIT_ACCESS_TOKEN}@github.com".insteadOf "ssh://git@github.com"

RUN mkdir -p ~/.ssh/ && \
    echo ${GIT_ACCESS_TOKEN} > ~/.ssh/id_rsa && \
    chmod -R 600 ~/.ssh/ && \
    ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts

# Install composer
# Copy composer.lock and composer.json
COPY ./web/composer.json /var/www/
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer

# Install vendor dependencies through composer
RUN composer install

# Install opache settings for php
COPY ./web/nginx/php.ini $PHP_INI_DIR/conf.d/opcache.ini

# Copy existing application directory contents
COPY ./web /var/www

# Clean up
RUN apt-get remove -y git && apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Expose port 9000 and start php-fpm server
EXPOSE 9000

I'm always greeted with errors from GitHub. If I run the code above, I get this error;

> [11/14] RUN composer install:                                                                                    
#15 0.196 Do not run Composer as root/super user! See https://getcomposer.org/root for details                      
#15 0.226 No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
#15 0.226 Loading composer repositories with package information
#15 0.877 
#15 0.883                                                                                                                                           
#15 0.883   [RuntimeException]                                                                                                                      
#15 0.883   Failed to execute git clone --mirror -- 'git@github.xxxxx/xxxxx' '/root/.composer/cache/vcs/git-github.com-xxxxxxx/'  
#15 0.883                                                                                                                                           
#15 0.883   Cloning into bare repository '/root/.composer/cache/vcs/git-github.com-xxxxxxx'...                                             
#15 0.883   Warning: Permanently added the RSA host key for IP address '140.82.121.3' to the list of known hosts.                                   
#15 0.883   Load key "/root/.ssh/id_rsa": invalid format                                                                                            
#15 0.883   git@github.com: Permission denied (publickey).                                                                                          
#15 0.883   fatal: Could not read from remote repository.                                                                                           
#15 0.883                                                                                                                                           
#15 0.883   Please make sure you have the correct access rights                                                                                     
#15 0.883   and the repository exists.

Anyone with suggestions?

Paul
  • 2,755
  • 6
  • 24
  • 35
Oakleaf
  • 101
  • 1
  • The access token is not an ssh key. It's meant to be used as a password in the http url (read the GitHub documentation). But I'd be more concerned about the fact that the key stays in the image and everybody with access to the image can read it. – Gerald Schneider Nov 27 '21 at 06:17
  • https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#using-a-token-on-the-command-line – Gerald Schneider Nov 27 '21 at 12:26
  • But since my environment is within AWS ecs, am I even able to use ssh-key? – Oakleaf Nov 28 '21 at 08:36
  • You are missing the point. You can't use the access token as an SSH key. It's supposed to be used as a password over https. – Gerald Schneider Nov 28 '21 at 08:44

1 Answers1

1

Your personal access token is not meant to be used as an SSH key, it's a replacement for the your personal GitHub password and can only be used with HTTPS connections.

A working minimal Dockerfile would be:

FROM php:8-fpm

ARG GIT_ACCESS_TOKEN

RUN apt-get update && apt-get install -y git

RUN git clone https://yourusername:${GIT_ACCESS_TOKEN}@github.com/yourusername/yourrepo.git

You can then use the ARG on the build command line:

docker build --build-arg GIT_ACCESS_TOKEN="YOURLONGACCESSTOKEN" .

BUT:

Your access token will be visible to everybody who hast access to your image.

This is noted in the Dockerfile documentation:

Warning:

It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

You should use a multi-stage build or use the newer Build secrets to prevent this.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79