drupalwxt / docker-scaffold

Docker Scaffold for Drupal WxT
4 stars 7 forks source link

Conditionally copy auth.json file for private repos #18

Closed smulvih2 closed 1 year ago

smulvih2 commented 2 years ago

I need to support private GitHub repos in my builds, which requires an auth.json file at the root of the repo. Adding a conditional copy for auth.json. Tested with private GitHub repo and works as expected. Also tested without an auth.json file in repo and doesn't fail on COPY command. Could also be used for private packagist and GitLab repos.

sylus commented 2 years ago

Yeah so this was never added as honestly I wasn't sure the best way to handle this.

The problem with this current method is then the credentials would then be baked into the container so anyone who has access to the container can see this file. Which if you create a token with proper scope just for a client might be ok and we can override the Dockerfile at your level using a patch.

I think this was not a convention I wanted to add natively that would opt people into. Also I could for-see people accidentally pushing their auth tokens to a public repo.

It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

I think the best way at the moment is to use docker build secrets:

https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information

Or the more legacy way of using multi stage:

https://medium.com/@erika_dike/installing-package-from-a-private-repo-in-your-docker-container-f45b1a4954a2

smulvih2 commented 2 years ago

@sylus thanks for the feedback. I have pushed another commit to this PR that removes the auth.json file after composer install is done so at least the file is not in the image. I will be using this technique for a new project, at least until I can test some other approaches and get a better solution. I will be using a token from the proper scope as well so I don't see any issues with this approach for the time being. Will let you know when I have more time to test the links you sent. Thanks!!!

smulvih2 commented 2 years ago

I modified the drupalwxt/site-wxt Makefile to patch docker-scaffold for this patch:

GET_DOCKER := $(shell [ -d docker ] || git clone $(DOCKER_REPO) docker && cd docker && patch -p1 < ../patches/docker-scaffold-pr18.patch)

Would be nice to pull docker-scaffold in via composer in the future.