add_dockerfile() should use GITHUB_PAT when calling remotes::install_github

[ColinFay]

Context: I manage a shinyproxy server and we use golem for most of our apps. They deploy via an AWS CD pipeline powered by a Dockerfile created with golem::add_dockerfile()

Problem: docker build can fail when installing packages from github because the rate limit of the GitHub API is exceeded.

For example, this is from my AWS build log:

1090 | Error: Failed to install 'unknown package' from GitHub:
1091 | Failed to install 'gargle' from GitHub:
1092 | HTTP error 403.
1093 | API rate limit exceeded for 35.176.92.34. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)
1094 |  
1095 | Rate limit remaining: 0/60
1096 | Rate limit reset at: 2020-10-12 16:31:43 UTC
1097 |  
1098 | To increase your GitHub API rate limit
1099 | - Use `usethis::browse_github_pat()` to create a Personal Access Token.
1100 | - Use `usethis::edit_r_environ()` and add the token as `GITHUB_PAT`.
1101 | Execution halted
1102 | The command '/bin/sh -c Rscript -e 'remotes::install_github("tidyverse/googlesheets4@b86b6f76ee857493dd58135169272c66cb5493f2")'' returned a non-zero code: 1
1103

Solution: Change the command used to install packages from github in the Dockerfile:

RUN Rscript -e 'remotes::install_github("r-lib/rlang@v0.4.7")'

should become

ARG GITHUB_PAT  # Only once before non CRAN remotes
RUN GITHUB_PAT=$GITHUB_PAT Rscript -e 'remotes::install_github("r-lib/rlang@v0.4.7")'

This would allow the user to pass a GITHUB_PAT when building the docker image and avoid the rate limit. Another HUGE advantage is that it would allow access to private repository!

I would suggest adding a logical argument use_github_pat = FALSE to the various add_dockerfile_XXX() functions. The default value (FALSE) would preserve the existing behaviour but use_github_pat = TRUE would add the necessary code in the Dockerfile.

Note that the user does not need to pass the value of their GITHUB_PAT to add_dockerfile. Instead it must be passed as a build argument when calling docker build.

Migrated from https://github.com/ThinkR-open/golem/issues/531

[ColinFay]

Original issue from @antoine-sachet

[yogat3ch]

Bumping this!

[VincentGuyader]

Hi, have à look to the add_dockerfile_with_renv function :)

[yogat3ch]

Hi @VincentGuyader, I updated golem and dockerfiler from Github and searched both repos for add_dockerfile_with_renv and am unable to find the function that you are referring to. Could you elaborate more?

[VincentGuyader]

hi yes, we have a little trouble to finalize the transition to golem 0.3.3 which contains the function :)

you can install golem with :

remotes::install_github("thinkr-open/golem@temp_renv")

then run golem::add_dockerfile_with_renv(output_dir = "deploy") inside your project

[yogat3ch]

Hi @VincentGuyader , Thanks for the extra detail! I checked out the branch, it will definitely be nice to have the option of installing from the renv.lock file as we use renv on all of our repos. This will dramatically simplify the Dockerfile! However, while looking through the branch, I didn't notice any support for GITHUB_PAT handling in the case when an app needs to install dependencies from private repos that depend on the GITHUB_PAT as this issue references. Did I miss something?

[VincentGuyader]

yes indeed I had misunderstood the request, had passed too quickly on the side "private repos". I have no use case to test on my side.

maybe it's clear for @ColinFay or @statnmap to deal with this need ?

[yogat3ch]

Hi @VincentGuyader, Ah ok, thanks for clarifying. For what it's worth, the solution Colin posted above worked for us with a bit of modification. It requires passing the GITHUB_PAT build arg to each call in the Dockerfile that accesses a private repo. I might be able to adapt the code above into a sub-function that handles adding the build-args to be used inadd_dockerfile or add_dockerfile_with_renv as a Pull Request, if that would be helpful?

[VincentGuyader]

yes, PR welcome :)