Access private repos when building Docker images.
Do note that this guide works only with Github, but with slight modifications it can easily be adapted to GitLab and others.
Install the following tools:
Enable the experimental features for Docker CLI by adding the following config to ~/.docker/config.json:
{
"experimental": "enabled"
}And enable the experimental features for Docker Daemon by adding the following config to the /etc/docker/daemon.json file (for Linux; on macOS it's ~/.docker/daemon.json):
{
"experimental": true
}Start the ssh-agent:
eval $(ssh-agent)And add your current SSH key to the agent:
ssh-add ~/.ssh/id_rsaLastly, setup the known_hosts to avoid prompts from SSH:
ssh-keyscan github.com >> ./known_hostsNOTE: On Linux, you probably don't need to start the agent as it should be started at login.
Build a base image that just clones a private repo (we'll use this in another image):
docker buildx build -f Dockerfile.priv-repo \
--ssh default \
--secret id=known_hosts,src=./known_hosts \
--build-arg PRIV_GIT_REPO=<my private repo> \
--tag priv-repo \
.Or build the base image with bake:
PRIV_GIT_REPO=<my private repo> docker buildx bake priv-repoNow build an image that just copies whatever was in the private repo to the host:
docker buildx build -f Dockerfile -o type=local,dest=./priv-code .Or build the image with bake:
docker buildx bakeNote that the Github CI workflow is setup to use deploy keys instead of a user SSH key. Read more about security in workflows at security hardening for github actions.