npm install from private repo, in docker build

Dockerfile

# Add these lines to your dockerfile, before `npm install`

# Copy the bitbucket private key to your docker image
COPY ./bitbucket_ssh_key /opt/my-app

# Copy the ssh script to your docker image
COPY ./ssh-bitbucket.sh /opt/my-app

# Tell git to use your `ssh-bitbucket.sh` script
ENV GIT_SSH="/opt/map-project-tile-server/ssh-bitbucket.sh"

RUN npm install

# Remove the private key once npm install is complete
# To previous any nefarious activities
RUN rm ./bitbucket_ssh_key

npm install from private repo.md

Goal: Install a package from a private bitbucket repository, using npm, from within a docker build script.

Steps:

• Add a project from a private repo to your package.json. For example: git+ssh://git@bitbucket.org/hamweather/private-repo
• Generate ssh keys using ssh-keygen (see https://confluence.atlassian.com/bitbucket/set-up-ssh-for-git-728138079.html)
• Save the public key to the bitbucket repo you want to install (see Settings > Deployment Keys)
• Commit the private key to your repo
• Commit the ssh-bitbucket.sh script to your repo
• Add executable permissions to ssh-bitbucket.sh
• Set permissionson the private key to 0600
• Update your Dockerfile, as described below

ssh-bitbucket.sh

#!/usr/bin/env bash
# http://superuser.com/questions/232373/how-to-tell-git-which-private-key-to-use/920849#920849
ssh -i /opt/my-app/bitbucket_ssh_key \
  -o UserKnownHostsFile=/dev/null \
  -o StrictHostKeyChecking=no \
  $*

line 16 means that it won't be available in the last layer of the image, but if you inspect layers 2-5 you will still be able to extract the rsa key.

@tebriel exactly right, in this case you should use a multi stage build.

thanks for this gits 👍

Should I add my private key to a project repo for that? Is this best practise?

No you should not leave private keys in the repository. You have them encrypted and decrypted as needed.

At line 4 we are copying bitbucket_ssh_key

COPY ./bitbucket_ssh_key /opt/my-app

But at line 16, we are deleting bitbucket_rsa

RUN rm ./bitbucket_rsa

Is that an error? Should have been there "rm ./bitbucket_ssh_key" ?

At line 4 we are copying bitbucket_ssh_key

COPY ./bitbucket_ssh_key /opt/my-app

But at line 16, we are deleting bitbucket_rsa

RUN rm ./bitbucket_rsa

Is that an error? Should have been there "rm ./bitbucket_ssh_key" ?

Sure looks like an mistake to me. Thanks -- fixed it.

I think this will be helpful.
https://sanderknape.com/2019/06/installing-private-git-repositories-npm-install-docker/

Commit the private key to your repo

That sounds like a bad idea.

I tried this and works like a charm on my local machine. But somehow it does not work with github actions. I keep getting following error (repo url updated to prevent leak):

npm ERR! code 128
npm ERR! An unknown git error occurred
npm ERR! command git --no-replace-objects ls-remote ssh://git@github.com/My-Organization/My-Repository.git
npm ERR! Warning: Permanently added 'github.com,140.82.113.4' (RSA) to the list of known hosts.
npm ERR! git@github.com: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.
npm ERR!
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.

Any idea why?