GitHub NuGet feeds with env vars

0_notes.md

• Users can set GITHUB_USERNAME and GITHUB_ACCESS_TOKEN env vars to build locally w/deps on GitHub hosted NuGet feed
• Users who want to build the image locally can pass these in as secrets to docker build or docker compose build.
• CI build process does something similar. We aren't using GitHub Actions at the moment so you may need to tweak the --secret id=whatever,env=THIS_PART.

1_nuget.config

<?xml version="1.0" encoding="utf-8"?>
<!-- nuget.config lives alongside your .sln file (if you have one) or .csproj file -->
<!-- I think it used to need to be exactly NuGet.config once upon a time so try that -->
<!-- if you're on older versions of .NET or Windows or something like that. -->
<configuration>
    <packageSources>
        <clear />
        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
        <add key="mycompany" value="https://nuget.pkg.github.com/MyCompany/index.json" />
    </packageSources>
    <packageSourceMapping>
        <!-- This block was recommended by compiler when we switched to centralized package versions --> 
        <packageSource key="mycompany">
            <package pattern="MyCompany.*" />
        </packageSource>
        <packageSource key="nuget.org">
            <package pattern="*" />
        </packageSource>
    </packageSourceMapping>
    <packageSourceCredentials>
        <mycompany>
            <add key="Username" value="%GITHUB_USERNAME%" />
            <add key="ClearTextPassword" value="%GITHUB_ACCESS_TOKEN%" />
            <!-- The env var references are the key here. Users need to setup a scope with             -->
            <!-- read:packages for 'dotnet restore' or (I think) write:packages for 'dotnet push'      -->
            
            <!-- If your CI pipeline is based on GitHub Actions, it exposes a working token (I think)  -->
            <!-- scoped to the lifetime of that pipeline execution. See 3_build_docker.sh. We embed    -->
            <!-- this in our CI pipeline. Can't remember if you'd need to massage some of the built-in -->
            <!-- GitHub env vars to match GITHUB_USERNAME, GITHUB_ACCESS_TOKEN or if it just works     -->
        </mycompany>
    </packageSourceCredentials>
</configuration>

2 - Dockerfile

# We mirror official images into AWS to help with bandwidth costs
# You'll need to adjust the FROM statements
FROM public.ecr.aws/abcdefg/dotnet_sdk:8.0-alpine AS build

WORKDIR /app

COPY . .

# This securely makes the values of the secrets available to docker build without exposing
# it anywhere in the build images (unless you set an env var or write to disk or something...
# ... don't do that :-P.  Your Dockerfile can then pull with dotnet restore or push with 
# dotnet push
RUN --mount=type=secret,id=github_username \
    --mount=type=secret,id=github_access_token \
    GITHUB_USERNAME=$(cat /run/secrets/github_username) \
    GITHUB_ACCESS_TOKEN=$(cat /run/secrets/github_access_token) \
    dotnet restore

RUN dotnet publish . -c Release -o /out --runtime alpine-x64 --self-contained true
# and/or 
# RUN dotnet pack . -c Release -o /out ... if you're trying to build a class library -> nuget package

FROM public.ecr.aws/abcdefg/dotnet_aspnet:8.0-alpine AS runtime

WORKDIR /app

COPY --from=build /out .

COPY startup.sh .

RUN chown -R 1000:1000 /app
USER 1000:1000
RUN chmod +x ./startup.sh

ENTRYPOINT ["sh", "./startup.sh"]

3_build_docker.sh

#!/bin/bash
# Because the Dockerfile uses secrets named `github_username` and `github_access_token`, we need
# to supply them to the CLI. This instructs it to pull the values from env vars named 
# GITHUB_USERNAME and GITHUB_ACCESS_TOKEN.
docker build \
  --progress plain \
  --secret id=github_username,env=GITHUB_USERNAME \
  --secret id=github_access_token,env=GITHUB_ACCESS_TOKEN \
  . \
  -f "./Dockerfile"