-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve go private auth #7361
Comments
Just hit this myself. some thoughts:
|
I run today as well into this problem and looked into potential solutions as well. So far following seems to be the case (and edge cases):
Currently it is possible to archive this, in a self-hosted setup, with manually setting With all that said I assume that the most common scenario is following and potentially the one to focus a first implementation on:
For determining which credentials are needing I think we have two options:
I plan into looking a bit further into this and see if I can get something implemented, although I'm not too familiar with the inner workings of renovate yet. I think the best approach would be 2 with maybe 3 as a reasonable default, but would appreciate pointers and further input :) Edit: From a first experiment I found that newer versions of git (2.32) allow the usage of environment variables for configuration, making it easy to pass specific configuration to only a single command (e.g.
I tried that with following test code and that seems to go into the right direction. Code diffdiff --git a/lib/manager/gomod/artifacts.ts b/lib/manager/gomod/artifacts.ts
index 36f05c098..bf6ba3bb7 100644
--- a/lib/manager/gomod/artifacts.ts
+++ b/lib/manager/gomod/artifacts.ts
@@ -8,7 +8,7 @@ import { logger } from '../../logger';
import { ExecOptions, exec } from '../../util/exec';
import { ensureCacheDir, readLocalFile, writeLocalFile } from '../../util/fs';
import { getRepoStatus } from '../../util/git';
-import { find } from '../../util/host-rules';
+import { find, findAll} from '../../util/host-rules';
import { isValid } from '../../versioning/semver';
import type {
PackageDependency,
@@ -17,19 +17,41 @@ import type {
UpdateArtifactsResult,
} from '../types';
-function getPreCommands(): string[] | null {
+function getGitEnvironment(): NodeJS.ProcessEnv {
+ let gitEnvCounter: number = 0;
+ let gitEnvVariables: NodeJS.ProcessEnv = {};
+
const credentials = find({
hostType: PLATFORM_TYPE_GITHUB,
url: 'https://api.github.com/',
});
- let preCommands = null;
+
if (credentials?.token) {
const token = quote(credentials.token);
- preCommands = [
- `git config --global url.\"https://${token}@github.com/\".insteadOf \"https://github.com/\"`, // eslint-disable-line no-useless-escape
- ];
+ // gitEnvCounter is zero indexed, thus we first create the variables and then increment the counter
+ gitEnvVariables[`GIT_CONFIG_KEY_${gitEnvCounter}`] = `url.https://${token}@github.com/.insteadOf`;
+ gitEnvVariables[`GIT_CONFIG_VALUE_${gitEnvCounter}`] = `https://github.com/`;
+ gitEnvCounter++;
}
- return preCommands;
+
+ // get all credentials we have for go using git
+ const goGitCredentials = findAll({
+ hostType: "go-git",
+ })
+
+ for (const goGitCredential of goGitCredentials) {
+ // Check that both a token exists and a matchHost
+ if (goGitCredential.token && goGitCredential.matchHost) {
+ const token = quote(goGitCredential.token);
+ // gitEnvCounter is zero indexed, thus we first create the variables and then increment the counter
+ gitEnvVariables[`GIT_CONFIG_KEY_${gitEnvCounter}`] = `url.https://${token}@${goGitCredential.matchHost}/.insteadOf`;
+ gitEnvVariables[`GIT_CONFIG_VALUE_${gitEnvCounter}`] = `https://${goGitCredential.matchHost}/`;
+ gitEnvCounter++;
+ }
+ };
+ // set the GIT_CONFIG_COUNT to the number of KEY/Value pairs
+ gitEnvVariables["GIT_CONFIG_COUNT"] = gitEnvCounter.toString();
+ return gitEnvVariables;
}
function getUpdateImportPathCmds(
@@ -128,13 +150,13 @@ export async function updateArtifacts({
GONOSUMDB: process.env.GONOSUMDB,
GOFLAGS: useModcacherw(config.constraints?.go) ? '-modcacherw' : null,
CGO_ENABLED: getAdminConfig().binarySource === 'docker' ? '0' : null,
+ ... getGitEnvironment(),
},
docker: {
image: 'go',
tagConstraint: config.constraints?.go,
tagScheme: 'npm',
volumes: [goPath],
- preCommands: getPreCommands(),
},
}; |
This comment has been minimized.
This comment has been minimized.
When we re-raise this feature again:
|
By @Shegox in the PR: @rarkins, one thing I'm uncertain and would like your input about how to do best would be to determine which packages should be updated from the source (e.g. git) instead of the using the default go module proxy. This is archived through the comma-separated The idea behind the previous implementation is that If the My alternative idea is to only allow the authentication using hostRules of type |
There will be some servers (e.g. private GHE) which users will want to be looked up directly. In most cases, would it be sufficient for the bot admin to simply configure them in GOPRIVATE? The trickiest is github.com. The majority of OSS packages live on github.com, and would be best looked up through the public go proxy and checksum database. But there will also be cases - for both the hosted app as well as self-hosted - where there are some private packages on github.com which should be looked up directly. We want to avoid the situation where we look up all github.com packages directly just because one or more is private. The goproxy website includes this relevant example:
BTW I wasn't aware of this:
Is that the behavior when One possibility as a better solution to |
I'm no go expert either, but from my research so far it is indeed the case that you always need to configure Currently the lookup works like this:
So I think the whole thing is a two step configuration. One having the credentials available to query the source (e.g. git) and the second thing of telling go for which modules to use the source via The source credentials can be rather broadly configured (e.g. for all of github.com). I think passing through other variables like I would now propose a few implementation steps and if okay would create separate PRs for that:
|
I agree with these steps:
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I started the implementation of this in #12230 and would have some questions and would like your input on that @rarkins:
|
hostType should match manager name |
I'm actually ok with ignoring hostType and adding any host with a token just in case. Certainly, we could add from hostRules which don't have a hostType |
I would as well say that adding all host Rules with a renovate/lib/util/host-rules.ts Lines 145 to 150 in 8316eb1
|
I think |
🎉 This issue has been resolved in version 28.19.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
What would you like Renovate to be able to do?
Support private modules and not fail
go x
commands.Did you already have any implementation ideas?
It seems that
~/.netrc
and~/.gitconfig
files can help: https://golang.org/doc/faq#git_https. Not sure if GOPRIVATE is necessary too?More references:
https://medium.com/cloud-native-the-gathering/go-modules-with-private-git-repositories-dfe795068db4
https://medium.com/@ysamlan/thanks-for-the-writeup-7b46bb5c927a
https://smartystreets.com/blog/2018/09/private-dependencies-in-docker-and-go
#7252
Are there any workarounds or alternative ideas you've tried to avoid needing this feature?
It can work today for github.com but that's maybe it
Is this a feature you'd be interested in implementing yourself?
Maybe
The text was updated successfully, but these errors were encountered: