在Heroku应用上通过点子安装私有git repo的正确/安全方法是什么? [英] What is the right/secure way to pip install a private git repo on a Heroku app?
问题描述
应用程序结构(Python FastAPI):
App structure (Python FastAPI):
-my_app
-server.py
-Procfile
-requirements.txt
为了安装Heroku应用程序所需的私有git repo,我在requirements.txt
中添加了以下行:
In order to install a private git repo required by my Heroku app, I added the following line to my requirements.txt
:
git+https://<github-token>@github.com/me/my-private-repo.git
但是在推送时,Github给我发电子邮件说,由于我在一次提交中公开了令牌,因此它已撤销了令牌. (我的应用程序仓库是私有的.)完全公平!但是,我的Heroku构建现在失败了,因为在尝试安装私有存储库时会提示输入密码.
However on pushing, Github emailed me to say that since I had exposed my token in a commit it had revoked the token. (My app repo is private.) Totally fair! However, my Heroku build now fails, since it prompts for a password when attempting to install the private repo.
我已经搜索过多次SO/互联网re:私人仓库,但是总是遇到相互矛盾的建议.
I've searched SO/the internet many times re: private repos, but have always come across conflicting suggestions.
很高兴听到在这种情况下的最佳实践,以便在自动构建中安全地安装私有存储库.
Would be grateful to hear what is best practice in this case, for safely installing a private repo in an automated build.
到目前为止我已经尝试过的:
What I've tried so far:
-
git+git://username:password@github.com/me/myrepo.git
而不是令牌显然具有相同的问题 -
git+ssh://git@github.com/me/myrepo.git
-产生错误Host key verification failed.
- 将用户名:密码(或令牌)存储为Heroku环境变量-似乎从此处
pip
git+git://username:password@github.com/me/myrepo.git
instead of token obviously has the same issuegit+ssh://git@github.com/me/myrepo.git
- yields errorHost key verification failed.
- Store username:password (or token) as Heroku environment variables - seems from here that this isn't possible with
pip
要在ssh
选项上进行扩展,请在本地计算机上进行以下工作:
To expand on the ssh
option, the following work on my local machine:
-
pip3 install git+ssh://git@github.com/me/my_private-repo.git
-
git clone https://github.com/me/my_private-repo.git
pip3 install git+ssh://git@github.com/me/my_private-repo.git
git clone https://github.com/me/my_private-repo.git
但是,当我的requirements.txt
包含git+ssh://git@github.com/me/my_private-repo.git
时,我的Heroku构建会返回Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
However when my requirements.txt
contains git+ssh://git@github.com/me/my_private-repo.git
, my Heroku build returns Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
推荐答案
最后使它起作用.我要感谢Michel Blancard的 answer 和相关的自定义buidpack :
Finally got it to work. I'm indebted to Michel Blancard's answer and associated gist, and Bo Jeanes' custom buidpack:
在requirements.txt
中:
git+ssh://git@github.com/me/my-private-repo.git
将我的私有SSH密钥转换为Heroku(!)的(旧)PEM格式:
Convert my private SSH key to the (old) PEM format for Heroku(!):
ssh-keygen -f ~/.ssh/id_rsa -m PEM -p
(归功于此答案)
将私有SSH密钥添加为Heroku变量:
Add private SSH key as Heroku variable:
heroku config:set SSH_KEY="$(cat ~/.ssh/id_rsa)"
添加此自定义生成包,使其在Python生成包之前运行私密SSH密钥:
Add this custom buildpack to run before the Python buildpack which enables a private SSH key:
heroku buildpacks:add --index 1 https://github.com/heroku/heroku-buildpack-ssh-key.git
部署!
这篇关于在Heroku应用上通过点子安装私有git repo的正确/安全方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!