Share your knowledge of building Docker Images on GitHub Actions in a Python project that uses Python packages in a private repository on GitHub.
Pipfile.lockUse pipenv.
Make sure that Pipfile.lock is set to install the private repository as shown below.
Pipfile.Part of lock
"private-repository-package": {
"editable": true,
"git": "https://github.com/username/private-repository-package.git",
"ref": "812u4dd76db6298ce50b5569a9a1d80759ba6e80"
},
This time, it will be installed using netrc, so install it with https.
You can install the version you want to specify by setting ref = commit hash.
If you haven't already installed it, install it locally like pipenv install private-repository-package, modify the ref and re-install pipenv install to update it.
See the official documentation for more details. pipenv official document
Dockerfile
The contents of the Dockerfile.
I'm using a -slim image. -You can reduce the size of the image by about 1/3 compared to the non-slim image.
Dockerfile
FROM python:3.8.2-slim
RUN apt-get update && \
apt-get install -y --no-install-recommends \
ca-certificates \
git \
&& apt-get clean && \
rm -rf /var/lib/apt/lists/*
ENV WORKDIR /app/
WORKDIR ${WORKDIR}
COPY Pipfile Pipfile.lock ${WORKDIR}
# setup .netrc to install dependencies in private GitHub repository
ARG PRIVATE_REPO_ACCESS_KEY
RUN echo "machine github.com" > /root/.netrc && \
echo "login $PRIVATE_REPO_ACCESS_KEY" >> /root/.netrc && \
echo "passowrd x-oauth-basic" >> /root/.netrc && \
chmod 600 /root/.netrc
# install Python dependencies
RUN pip install pipenv --no-cache-dir && \
pipenv install --system --deploy && \
pip uninstall -y pipenv virtualenv-clone virtualenv
# remove anythings security and uncessary
RUN rm /root/.netrc && \
rm Pipfile Pipfile.lock
COPY src/ $WORKDIR
CMD python ./run.py
The point is that it uses netrc. It takes the argument PRIVATE_REPO_ACCESS_KEY from the outside (this time GitHub Actions) and passes it to the /root/.netrc file to allow https access to the private repository on GitHub.
Then, using this .netrc file, after pipenv install is completed,
# remove anythings security and uncessary
RUN rm /root/.netrc && \
rm Pipfile Pipfile.lock
By including this process, the value of PRIVATE_REPO_ACCESS_KEY will not be erased and left in Docker Image.
GitHub Actions
Get a personal token to access your private repository on GitHub. The method is easy to understand this official document ..
Then, register the obtained personal token in Secret from Setting of the target GitHub repository. This method is also shown in other articles with figures. The official documentation is here.
GitHub Actions Yaml
Obtain the personal token set above from the secret and pass it to the docker command as PRIVATE_REPO_ACCESS_KEY in the Dockerfile earlier to perform the Image build process.
Part of GitHubActions Workflow Yaml
env:
PRIVATE_REPO_ACCESS_KEY: ${{ secrets.PRIVATE_REPO_ACCESS_KEY }}
run: |
docker build --build-arg PRIVATE_REPO_ACCESS_KEY=${PRIVATE_REPO_ACCESS_KEY} .
Recommended Posts