#Private modules via Github App ?

1 messages · Page 1 of 1 (latest)

serene cloak
#

Is it currently possible to use a Github App to authenticate when pulling a private module?
So far I've been able to rely on a deploy key for a central private daggerverse repo that I simply install on the agents, but that's not really possible if multiple repositories are involved (other than hacking it with a dedicated github.com user).
Maybe it would be doable to generate a token with app installation creds and somehow shove it into the credential store (not sure what that would be on an ephemeral agent, if any)?

pure lava
#

Hey @serene cloak! You can definitely use an installation token to authenticate. You are on the right track with your suggestion. This is a sample go program that fetches an installation token and can be configured with git as a credential helper on the client making the dagger call:

package main

import (
        ...
    "github.com/google/go-github/v74/github"
    "github.com/bradleyfalzon/ghinstallation/v2"
)


func main() {
    appsTransport, err := ghinstallation.NewAppsTransport(
        http.DefaultTransport,
        <YOUR APP ID>,
        <YOUR APP PRIVATE KEY>,
    )
    if err != nil {
        return nil, err
    }


    ghClient := github.NewClient(&http.Client{
        Transport: appsTransport,
    })

    it, _, err := ghClient.Apps.CreateInstallationToken(ctx, <YOUR APP INSTALLATION ID>, nil)
    if err != nil {
        fmt.Fprintf(os.Stderr, "error creating installation token: %v", err)
        os.Exit(1)
    }

    fmt.Printf("username=oauth\npassword=%s\n", *it.Token)
}

You could install the binary and configure it:

go install <YOUR GO MODULE>
git config --global credential.helper <YOUR BINARY>

Credentials to fetch git repos are always provided by the client, not the engine so this should work as long as the client making the call has the helper configured. FYI, this is what we do internally to provide documentation for private modules in https://dagger.cloud