Go の private module を Docker イメージのビルド中にダウンロードする

TL;DR

code:Dockerfile

ENV GOPRIVATE github.com/username-or-orgname

RUN git config --global credential.'https://github.com'.helper '!f() { \

echo "username=x-access-token"; \

echo "password=$(cat /run/secrets/GITHUB_TOKEN)"; \

}; f'

COPY go.mod go.sum .

RUN --mount=type=secret,id=GITHUB_TOKEN go mod download

code:bash

envchain gh docker build --secret id=GITHUB_TOKEN

vs. other options

Put machine github.com login x-access-token password ${GITHUB_TOKEN} in .netrc

👎 The plaintext access token is put on the Docker filesystem

git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/username-or-orgname/".insteadOf "https://github.com/username-or-orgname/"

👎 The plaintext access token is put on the Docker filesystem

RUN git config --global url.ssh://git@github.com/.insteadOf https://github.com/ without RUN --mount=ssh

👎 You have to pass ssh credentials through ARG

RUN git config --global url.ssh://git@github.com/.insteadOf https://github.com/ with RUN --mount=ssh

🤔 It's one good option, but if you use SSH for another purpose except for GitHub.com authentication, it's difficult to control access.