search

emk / rust-musl-builder

Docker images for compiling static Rust binaries using musl-libc and musl-gcc, with static versions of useful C libraries. Supports openssl and diesel crates.
Apache License 2.0
1.54k stars 193 forks source link

git credential ghtoken gives a git error #97

Closed lephyrius closed 3 years ago

lephyrius commented 4 years ago

What did you try to do? I added this to the Dockerfile

ENV GH_USER=lephyrius
ENV GH_TOKEN=...

Further down I used git:

RUN mkdir test && cd test && git init && git fetch --tags --force --update-head-ok https://github.com/lephyrius/example.git

What happened?

I got this error message:

17:03:49.931009 git.c:344               trace: built-in: git fetch --tags --force --update-head-ok https://github.com/lephyrius/example.git
17:03:49.931167 run-command.c:646       trace: run_command: GIT_DIR=.git git-remote-https https://github.com/lephyrius/example.git https://github.com/lephyrius/example.git                                                                                                             
17:03:50.324563 run-command.c:646       trace: run_command: 'git credential-ghtoken get'                                                    
17:03:50.331164 git.c:576               trace: exec: git-credential-ghtoken get                                                             
17:03:50.331223 run-command.c:646       trace: run_command: git-credential-ghtoken get                                                      
git: 'credential-ghtoken' is not a git command. See 'git --help'.                                                                           
17:03:50.337513 run-command.c:646       trace: run_command: 'git credential-store get'                                                      
17:03:50.343622 git.c:576               trace: exec: git-credential-store get                                                               
17:03:50.343685 run-command.c:646       trace: run_command: git-credential-store get                                                        
warning: url has no scheme:                                                                                                                 
fatal: credential url cannot be parsed:                                                                                                     
fatal: could not read Username for 'https://github.com': No such device or address

What did you hope to happen? I wanted to fetch my private repo which.

Additional information

I reduced the example. So I didn't use cargo but I want to use cargo.

emk commented 4 years ago

Honestly, I have no idea what's going on here.

You almost certainly don't want to be hard-coding GH_TOKEN in your Dockerfile using ENV. In a perfect world, you'd be passing in a termporary Vault token (or something similar) using ARG, and then using that Vault token to look up your GitHub token, and finally revoking the temporary Vault token the moment the docker build command is done. Any other approach will inevitably wind up leaking a GitHub token somewhere, either into the resulting Docker image or into your source control. That might be tolerable if the GitHub token is read-only, and you don't care too much about keeping your source code 100% secret.

git-credential-ghtoken is not a documented or officially supported feature of rust-musl-builder, because there's no easy to use it correctly without some system of temporary, revokable tokens. Unfortunately, the easiest workaround for this problem is to combine all your internal-only Rust projects into a single workspace.

I wish I had a better answer for you. Accessing private packages from within a docker build step is surprisingly hard.