source.json interpolation with environment variables

[yaitskov]

I spent a few days of integrating a cascade of CI for several projects on gitlab.

The issue is ssh authentication. Every git repo is private. gitlab has a hack - special user with token.

so if sources.json instead of:

{
 "private-dep": {
   "branch": "master",
   "repo": "ssh://git@gitlab.com/company/private-dep.git",
   "rev": "ed73d970fd13b009ca5829f6b8c1c936c7221032",
   "type": "git"
 },

would contain following:

"repo": "ssh://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/company/private-dep.git",

then there is no hassle with ssh keys at all.

Some expression language (mustache?) supporting environment variables would help here a lot.

"repo": "ssh://git$([ -n "$CI_JOB_TOKEN ] && echo "lab-ci-token:$CI_JOB_TOKEN)@gitlab.com/company/private-dep.git",

[nmattia]

That sounds like a good idea. Maybe we can even unify this with the "template" feature used in e.g. URL templates (where <foo> in a string is replaced with the value of the foo attribute).

[refnil]

Some expression language (mustache?) supporting environment variables would help here a lot.

I would be hesitant to bring any expression language during the nix evaluation. It would add that language as a dependency to every niv user.

Then the next idea is implement the interpreter for the expression language in nix itself. That seems like a project in itself.

My proposal to solve this problem would be to add a system of mirror to niv and upgrade the template feature to support environment variable. In you case, the first mirror would be the regular url ssh://git@gitlab.com/company/private-dep.git and the second would be to modified url for the gitlab-ci ssh://gitlab-ci-token:<CI_JOB_TOKEN>@gitlab.com/company/private-dep.git. The biggest uncertainty of this approach is that we need to change each fetchers to support mirrors since I don't think we can do it generically in nix.

[zimbatm]

Specifically for HTTP fetches, libcurl reads the user's ~/.netcrc file for basic auth type credentials. Maybe Git is also respecting that file?

I'm thinking in terms of addressing the underlying issue.

[adrian-gierakowski]

Yes, git does respect netrc

On Sat, 14 Aug 2021 at 12:21, Jonas Chevalier @.***> wrote:

Specifically for HTTP fetches, libcurl reads the user's ~/.netcrc file for basic auth type credentials. Maybe Git is also respecting that file?

I'm thinking in terms of addressing the underlying issue.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/nmattia/niv/issues/321#issuecomment-898881494, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACQTQP43MZV4ELQRWHTNETT4ZGTRANCNFSM45MDPAHA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

-- Adrian Gierakowski

[jh-devv]

What about other https mirrors that need authentication in the form of cookies?