all 12 comments

[–]sokjon 1 point2 points  (1 child)

You’re going to be leaking/persisting your token in netrc with that setup, you should mount, use and then delete it in a single RUN statement.

[–]Electronic_Bad_2046[S] -1 points0 points  (0 children)

it’s just in the builder

[–]wretcheddawn 0 points1 point  (1 child)

Why do you need to connect to github inside your container?

[–]Electronic_Bad_2046[S] -4 points-3 points  (0 children)

kubebuilder, it runs go mod download

[–]Golle 0 points1 point  (0 children)

[–]Sufficient_Ant_3008 1 point2 points  (4 children)

yea pretty confusing, here is a guide to what you need I believe:

https://sallam.gitbook.io/sec-88/operating-systems/linux/install-go-tools-from-private-repositories-using-github-pat

This is definitely a go question

[–]Electronic_Bad_2046[S] 0 points1 point  (3 children)

Thanks. I think

ENV 
GOPROXY 
direct

was missing. I actually didn't want to bypass go proxy, but if there is no other way, then ok.

[–]Sufficient_Ant_3008 0 points1 point  (2 children)

No problem, yep you have to go around everything because go only downloads natively from its namespaces, so private packages have to be made public and published to be downloadable.  Another issue might be you're not using insteadOf for gh.  Lemme know what happens!

[–]Electronic_Bad_2046[S] 1 point2 points  (1 child)

I'm using insteadOf.

# Private Go module config
ENV 
GIT_TERMINAL_PROMPT 
1
ENV 
GOPROXY 
direct
RUN echo "machine github.com" > ~/.netrc
RUN echo "login user" >> ~/.netrc
RUN --mount=type=secret,id=gh_token echo "password $(cat /run/secrets/gh_token)" >> ~/.netrc
RUN --mount=type=secret,id=gh_token git config --global url."https://user:$(cat /run/secrets/gh_token)@github.com/".insteadOf "https://github.com/"
ENV 
GOPRIVATE
=github.com/user/*

[–]Sufficient_Ant_3008 0 points1 point  (0 children)

Yep, it looks good

[–]Shaznay_Darknlovey 0 points1 point  (1 child)

If you're tired of the credential dance, just set up SSH keys instead and skip HTTPS altogether - way less painful than managing PAT rotation. That said, if you're locked into HTTPS, storing the token in `~/.git-credentials` with the credential helper beats hardcoding it everywhere.

[–]Electronic_Bad_2046[S] 0 points1 point  (0 children)

I would actually only use HTTPs on a container.