Last active
November 3, 2022 08:31
-
-
Save a-h/02b883108d8322f7d4aedee55910890c to your computer and use it in GitHub Desktop.
Build Go with private dependencies on AWS CodeBuild
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: 0.2 | |
env: | |
parameter-store: | |
build_ssh_key: "build_ssh_key" | |
phases: | |
install: | |
commands: | |
- mkdir -p ~/.ssh | |
- echo "$build_ssh_key" > ~/.ssh/id_rsa | |
- chmod 600 ~/.ssh/id_rsa | |
- ssh-keygen -F github.com || ssh-keyscan github.com >>~/.ssh/known_hosts | |
- git config --global url."git@github.com:".insteadOf "https://github.com/" | |
- mkdir -p ${GOPATH}/src/github.com/a-h/project | |
- cp -r $CODEBUILD_SRC_DIR/* $GOPATH/src/github.com/a-h/project | |
- cd $GOPATH/src/github.com/a-h/project | |
- make get | |
build: | |
commands: | |
- cd $GOPATH/src/github.com/a-h/project | |
- make test | |
- make build |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You need the private key to authenticate against private repos. Everyone's public key is available from Github already at e.g. https://github.com/EloyTolosa.keys so it wouldn't be much use as a way to restrict access to repos! 😁
The thing that's authenticating you can use your public key to verify that you have access to the private key, so in this case, Github has the public key (NOT the private key) and the CI user needs to prove that they have the private key.
It's been a few years since I looked at this (I'm use Github Actions for CI at the moment), but looking at this code, I'd say the process around it should be to put the key in SSM parameter store first, then update this code to use the AWS CLI to retrieve the key from the SSM parameter store, (making sure you've given the build agent's role permission to retrieve it).