- Users can set
GITHUB_USERNAME
andGITHUB_ACCESS_TOKEN
env vars to build locally w/deps on GitHub hosted NuGet feed - Users who want to build the image locally can pass these in as secrets to
docker build
ordocker compose build
. - CI build process does something similar. We aren't using GitHub Actions at the moment so you may need to tweak the
--secret id=whatever,env=THIS_PART
.
Last active
May 10, 2024 14:56
-
-
Save scottt732/ae7e6c4dcd54c431cf3d12cb3c53b967 to your computer and use it in GitHub Desktop.
GitHub NuGet feeds with env vars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<!-- nuget.config lives alongside your .sln file (if you have one) or .csproj file --> | |
<!-- I think it used to need to be exactly NuGet.config once upon a time so try that --> | |
<!-- if you're on older versions of .NET or Windows or something like that. --> | |
<configuration> | |
<packageSources> | |
<clear /> | |
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" /> | |
<add key="mycompany" value="https://nuget.pkg.github.com/MyCompany/index.json" /> | |
</packageSources> | |
<packageSourceMapping> | |
<!-- This block was recommended by compiler when we switched to centralized package versions --> | |
<packageSource key="mycompany"> | |
<package pattern="MyCompany.*" /> | |
</packageSource> | |
<packageSource key="nuget.org"> | |
<package pattern="*" /> | |
</packageSource> | |
</packageSourceMapping> | |
<packageSourceCredentials> | |
<mycompany> | |
<add key="Username" value="%GITHUB_USERNAME%" /> | |
<add key="ClearTextPassword" value="%GITHUB_ACCESS_TOKEN%" /> | |
<!-- The env var references are the key here. Users need to setup a scope with --> | |
<!-- read:packages for 'dotnet restore' or (I think) write:packages for 'dotnet push' --> | |
<!-- If your CI pipeline is based on GitHub Actions, it exposes a working token (I think) --> | |
<!-- scoped to the lifetime of that pipeline execution. See 3_build_docker.sh. We embed --> | |
<!-- this in our CI pipeline. Can't remember if you'd need to massage some of the built-in --> | |
<!-- GitHub env vars to match GITHUB_USERNAME, GITHUB_ACCESS_TOKEN or if it just works --> | |
</mycompany> | |
</packageSourceCredentials> | |
</configuration> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# We mirror official images into AWS to help with bandwidth costs | |
# You'll need to adjust the FROM statements | |
FROM public.ecr.aws/abcdefg/dotnet_sdk:8.0-alpine AS build | |
WORKDIR /app | |
COPY . . | |
# This securely makes the values of the secrets available to docker build without exposing | |
# it anywhere in the build images (unless you set an env var or write to disk or something... | |
# ... don't do that :-P. Your Dockerfile can then pull with dotnet restore or push with | |
# dotnet push | |
RUN --mount=type=secret,id=github_username \ | |
--mount=type=secret,id=github_access_token \ | |
GITHUB_USERNAME=$(cat /run/secrets/github_username) \ | |
GITHUB_ACCESS_TOKEN=$(cat /run/secrets/github_access_token) \ | |
dotnet restore | |
RUN dotnet publish . -c Release -o /out --runtime alpine-x64 --self-contained true | |
# and/or | |
# RUN dotnet pack . -c Release -o /out ... if you're trying to build a class library -> nuget package | |
FROM public.ecr.aws/abcdefg/dotnet_aspnet:8.0-alpine AS runtime | |
WORKDIR /app | |
COPY --from=build /out . | |
COPY startup.sh . | |
RUN chown -R 1000:1000 /app | |
USER 1000:1000 | |
RUN chmod +x ./startup.sh | |
ENTRYPOINT ["sh", "./startup.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Because the Dockerfile uses secrets named `github_username` and `github_access_token`, we need | |
# to supply them to the CLI. This instructs it to pull the values from env vars named | |
# GITHUB_USERNAME and GITHUB_ACCESS_TOKEN. | |
docker build \ | |
--progress plain \ | |
--secret id=github_username,env=GITHUB_USERNAME \ | |
--secret id=github_access_token,env=GITHUB_ACCESS_TOKEN \ | |
. \ | |
-f "./Dockerfile" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment