从远程存储库构建 docker-image (github-actions, gitlab-ci) 使用来自另一个远程存储库的环境和秘密?
Build docker-image from remote repository (github-actions, gitlab-ci) with env and secrets from another remote repo?
我的项目在 GitHub 有一个(私有)存储库,并集成了 GitHub-actions,它正在构建 docker-image 并将其直接推送到 GHCR。
但是我在存储机密并将机密传递到我的构建映像时遇到了问题。我的项目中有以下结构:
.git (gitignored)
.env (gitignored)
config (gitignored) / config files (jsons)
src (git) / other folders and files
如您所见,我有 .env 个文件和 config 个文件夹。它们都存储数据或文件,这些数据或文件不在 repo 中,但需要在构建环境中。
所以我想问一下,是否有任何选项可以不将所有这些文件传递到我的主要远程存储库(即使它是私有的),而是在 github-动作?
It's not a problem to publish env & configs somewhere else, privately, in another separate private remote-repo. The point is not to push these files to the main-private-repo, because RBAC logic doesn't allow me to restrict access to the selected files.
P.S。使用 GitLab CI 或 BitBucket 的任何其他建议,如果您知道如何解决问题,我们也将不胜感激。不要害羞分享它!
看来这个问题有点热,所以我找到了答案。
上面显示的示例基于 node.js 和 nest.js 应用程序并从 GitHub.
中提取私有远程仓库
In my case, this scenario was about pulling from separate private repo config files and other secrets. And we merge them with our project during container build. This option isn't about security of secrets inside container itself. But for making one part of a project (repo itself with business logic) available to other developers (they won't see credentionals and configs from separate private repo, in your development repo) and a secret-private repo with separate access permission.
你们都需要个人访问令牌 (PAT),github 你可以在这里找到它:
As for GitLab, the flow is still the same. You'll need to pass token from somewhere in the settings. And also, just a good advice, create not just one, but two docker files, before testing it.
为什么使用 https 而不是 ssh?在这种情况下,您还需要传递 ssh 密钥并正确配置客户端。由于 CRLF 和 LF 格式,ssh 支持的 crypto-algos 等等,它有点复杂。
# it could be Go, PHP, what-ever
FROM node:17
# you will need your GitHub token from settings
# we will pass it to build env via GitHub action
ARG CR_PAT
ENV CR_PAT=$CR_PAT
# update OS in build container
RUN apt-get update
RUN apt-get install -y git
# workdir app, it is a cd (directory)
WORKDIR /usr/src/app
# installing nest library
RUN npm install -g @nestjs/cli
# config git with credentials
# we will use https since it is much easier to config instead of ssh
RUN git config --global url."https://${github_username}:${CR_PAT}@github.com/".insteadOf "https://github.com/"
# cloning the repo to WORKDIR
RUN git clone https://github.com/${github_username}/${repo_name}.git
# we move all files from pulled repo to root of WORKDIR
# including files named with dot at the beginning (like .env)
RUN mv repo_folder/* repo_folder/.[^.]* . && rmdir repo_folder/
# node.js stuff
COPY package.json ./
RUN yarn install
COPY . .
RUN nest build app
CMD wait && ["node"]
因此,您会看到一个完整的容器,其中您的代码与我们从中提取的其他单独存储库中的文件和代码合并。
我的项目在 GitHub 有一个(私有)存储库,并集成了 GitHub-actions,它正在构建 docker-image 并将其直接推送到 GHCR。
但是我在存储机密并将机密传递到我的构建映像时遇到了问题。我的项目中有以下结构:
.git (gitignored)
.env (gitignored)
config (gitignored) / config files (jsons)
src (git) / other folders and files
如您所见,我有 .env 个文件和 config 个文件夹。它们都存储数据或文件,这些数据或文件不在 repo 中,但需要在构建环境中。
所以我想问一下,是否有任何选项可以不将所有这些文件传递到我的主要远程存储库(即使它是私有的),而是在 github-动作?
It's not a problem to publish env & configs somewhere else, privately, in another separate private remote-repo. The point is not to push these files to the main-private-repo, because RBAC logic doesn't allow me to restrict access to the selected files.
P.S。使用 GitLab CI 或 BitBucket 的任何其他建议,如果您知道如何解决问题,我们也将不胜感激。不要害羞分享它!
看来这个问题有点热,所以我找到了答案。
上面显示的示例基于 node.js 和 nest.js 应用程序并从 GitHub.
中提取私有远程仓库In my case, this scenario was about pulling from separate private repo config files and other secrets. And we merge them with our project during container build. This option isn't about security of secrets inside container itself. But for making one part of a project (repo itself with business logic) available to other developers (they won't see credentionals and configs from separate private repo, in your development repo) and a secret-private repo with separate access permission.
你们都需要个人访问令牌 (PAT),github 你可以在这里找到它:
As for GitLab, the flow is still the same. You'll need to pass token from somewhere in the settings. And also, just a good advice, create not just one, but two docker files, before testing it.
为什么使用 https 而不是 ssh?在这种情况下,您还需要传递 ssh 密钥并正确配置客户端。由于 CRLF 和 LF 格式,ssh 支持的 crypto-algos 等等,它有点复杂。
# it could be Go, PHP, what-ever
FROM node:17
# you will need your GitHub token from settings
# we will pass it to build env via GitHub action
ARG CR_PAT
ENV CR_PAT=$CR_PAT
# update OS in build container
RUN apt-get update
RUN apt-get install -y git
# workdir app, it is a cd (directory)
WORKDIR /usr/src/app
# installing nest library
RUN npm install -g @nestjs/cli
# config git with credentials
# we will use https since it is much easier to config instead of ssh
RUN git config --global url."https://${github_username}:${CR_PAT}@github.com/".insteadOf "https://github.com/"
# cloning the repo to WORKDIR
RUN git clone https://github.com/${github_username}/${repo_name}.git
# we move all files from pulled repo to root of WORKDIR
# including files named with dot at the beginning (like .env)
RUN mv repo_folder/* repo_folder/.[^.]* . && rmdir repo_folder/
# node.js stuff
COPY package.json ./
RUN yarn install
COPY . .
RUN nest build app
CMD wait && ["node"]
因此,您会看到一个完整的容器,其中您的代码与我们从中提取的其他单独存储库中的文件和代码合并。