mirror of
https://github.com/docker/build-push-action.git
synced 2026-07-04 14:05:38 +00:00
Compare commits
4 Commits
c34960e96b
...
3541703538
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
3541703538 | ||
|
|
9f6f8c940b | ||
|
|
8411d080ee | ||
|
|
df45ce9a13 |
66
SSH
Normal file
66
SSH
Normal file
@ -0,0 +1,66 @@
|
||||
|
||||
How To Install Private Git Hosted Dependencies Inside Docker Image Using SSH
|
||||
#
|
||||
docker
|
||||
#
|
||||
devops
|
||||
#
|
||||
security
|
||||
#
|
||||
python
|
||||
Introduction
|
||||
This quick guide will show you how to mount a ssh key inside a container in build time, to allow you to install private dependencies, that won't be persisted in the final image. It uses python but could work with any language/package manager that uses git + ssh.
|
||||
|
||||
Dockerfile
|
||||
First you need to set Dockerfile syntax to docker/dockerfile:1.2. Put this in the beggining of the file:
|
||||
|
||||
# syntax = docker/dockerfile:1.2
|
||||
Now install git and openssh, and setup ssh folders:
|
||||
|
||||
RUN apt update && \
|
||||
apt install -y git openssh-client && \
|
||||
mkdir -p /root/.ssh && \
|
||||
ssh-keyscan github.com >> /root/.ssh/known_hosts
|
||||
May vary depending on the base image you're using, just change with the package manager you use.
|
||||
|
||||
Make sure to change github.com with your git host.
|
||||
|
||||
Now you have to mount the ssh key in the step that installs the dependency:
|
||||
|
||||
RUN --mount=type=secret,id=id_rsa,dst=/root/.ssh/id_rsa \
|
||||
pip install git+ssh://git@github.com/username/repository.git@version
|
||||
This will mount secret identified by id_rsa on /root/.ssh/id_rsa.
|
||||
|
||||
Building
|
||||
When building you need to specify your ssh key as id_rsa secret:
|
||||
|
||||
docker build . \
|
||||
-f Dockerfile \
|
||||
--secret id=id_rsa,src=/home/user/.ssh/id_rsa
|
||||
Or using docker compose:
|
||||
|
||||
version: '3.7'
|
||||
services:
|
||||
your_service:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile
|
||||
secrets:
|
||||
- id_rsa
|
||||
secrets:
|
||||
id_rsa:
|
||||
file: /home/user/.ssh/id_rsa
|
||||
Final file
|
||||
# syntax = docker/dockerfile:1.2
|
||||
|
||||
FROM python:3.11
|
||||
|
||||
RUN apt update && \
|
||||
apt install -y git openssh-client && \
|
||||
mkdir -p /root/.ssh && \
|
||||
ssh-keyscan github.com >> /root/.ssh/known_hosts
|
||||
|
||||
RUN --mount=type=secret,id=id_rsa,dst=/root/.ssh/id_rsa \
|
||||
pip install git+ssh://git@github.com/username
|
||||
example
|
||||
pip install git+ssh://git@github.com/sammyfilly
|
||||
2
dist/index.js
generated
vendored
2
dist/index.js
generated
vendored
File diff suppressed because one or more lines are too long
2
dist/index.js.map
generated
vendored
2
dist/index.js.map
generated
vendored
File diff suppressed because one or more lines are too long
@ -102,11 +102,15 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
|
||||
await Util.asyncForEach(inputs.attests, async attest => {
|
||||
args.push('--attest', attest);
|
||||
});
|
||||
} else if (inputs.attests.length > 0) {
|
||||
core.warning("Attestations are only supported by buildx >= 0.10.0; the input 'attests' is ignored.");
|
||||
}
|
||||
if (await toolkit.buildx.versionSatisfies('>=0.12.0')) {
|
||||
await Util.asyncForEach(inputs.annotations, async annotation => {
|
||||
args.push('--annotation', annotation);
|
||||
});
|
||||
} else if (inputs.annotations.length > 0) {
|
||||
core.warning("Annotations are only supported by buildx >= 0.12.0; the input 'annotations' is ignored.");
|
||||
}
|
||||
await Util.asyncForEach(inputs.buildArgs, async buildArg => {
|
||||
args.push('--build-arg', buildArg);
|
||||
@ -115,6 +119,8 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
|
||||
await Util.asyncForEach(inputs.buildContexts, async buildContext => {
|
||||
args.push('--build-context', buildContext);
|
||||
});
|
||||
} else if (inputs.buildContexts.length > 0) {
|
||||
core.warning("Build contexts are only supported by buildx >= 0.8.0; the input 'build-contexts' is ignored.");
|
||||
}
|
||||
await Util.asyncForEach(inputs.cacheFrom, async cacheFrom => {
|
||||
args.push('--cache-from', cacheFrom);
|
||||
@ -169,6 +175,8 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
|
||||
if (inputs.sbom) {
|
||||
args.push('--sbom', inputs.sbom);
|
||||
}
|
||||
} else if (inputs.provenance || inputs.sbom) {
|
||||
core.warning("Attestations are only supported by buildx >= 0.10.0; the inputs 'provenance' and 'sbom' are ignored.");
|
||||
}
|
||||
await Util.asyncForEach(inputs.secrets, async secret => {
|
||||
try {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user