Comments (20)
@skorfmann We've had some success using personal access tokens on our 'machine user', and then providing them in the url for the repository.
Similar to this
git clone https://<token>:[email protected]/owner/repo.git
It's still cumbersome, but slightly less so.
from gitness.
Official support for updating your repository keys via rest:
http://readme.drone.io/api/repos/put/
Along with support for updating keys via the command line utility:
drone set-key github.com/foo/bar ~/.ssh/id_rsa
from gitness.
have you looked into the -identity flag for the drone command?
from gitness.
No, I hadn't see that - it looks like it'll solve my issue perfectly, thanks!
It's still worth documenting that somewhere, and ideally adding the functionality to the web UI.
I'll close this for now, and leave it up to you whether you want to open a new issue for the web UI.
Thanks again.
from gitness.
I tried to find the right place to add a global SSH key for my Drone instance, however I couldn't find it.
How and where do you provide that identity flag?
from gitness.
SSH keys are automatically generated for each repository and stored in the database. For private projects, the public key is automatically registered with GitHub. The private key gets injected into the build container at $HOME/.ssh/id_rsa
from gitness.
SSH keys are automatically generated for each repository and stored in the database. For private projects, the public key is automatically registered with GitHub. The private key gets injected into the build container at $HOME/.ssh/id_rsa
Yes, I took that generated key, removed it from the 'deployment keys' on Github and added it to our 'automation github user'. However, as we have various projects with private dependencies, it gets quite cumbersome to repeat this for every new project. Hence I thought, it would be nice to add a global key that gets injected to every build.
The identity
option for the drone
command sounds pretty much like the solution I was looking for, but I wasn't able to wrap my head around it. I found this reference in the code, but I just couldn't figure out how to utilize it.
from gitness.
The --identity
option is only available to the drone
client. The drone client is used to execute builds in virtual machines locally, on your personal computer, as opposed to on the server.
The drone server does not provide a global ssh key. We can definitely come up with a solution to this, however, in the short term you'll need to add the keys to your automation user account.
from gitness.
Cool, thanks for explaining.
from gitness.
Is there a solution to this now? The issue is closed and I didn't see anything referencing it. This would be very helpful.
from gitness.
I have a solution that I'd like to implement to solve this in our 0.3 branch (labeled exp
). It should be a relatively simple change, with just a few modifications to the codebase
Step 1: alter the REST handler that updates the repo to accept a key pair
https://github.com/drone/drone/blob/exp/server/handler/repo.go#L180
Step 2: add a command to the CLI to upload a key pair
https://github.com/drone/drone/tree/exp/cmd
The command would look something like drone key set github.com/foo/bar /path/to/private/key
. The repo name and private key would be provide as command line args. The public key is assumed to reside in the same directory as the private key, but with a ".pub" extension.
Ideally we could verify the following in the command line utility, prior to uploading:
- the public / private key are valid using Go's RSA package
- the key pair does not require a password
NOTE this would give you the ability to change key pairs from the command line only (or via the RESTful API). You would not be able to update the key pair via the website. We are trying to keep the website as minimalist as possible, and are trying to push all advanced features to the command line utility / REST API.
from gitness.
Just pushed 96e6603 which allows you to update the SSH keys via REST API. Next step will be to add this functionality to the command line utility.
from gitness.
we are going to experiment with a new idea here. We are going to add a .netrc
file to the build environment with the access token, similar to the comment by @gdborton
this would not apply to public (open source) repositories for security reasons.
this should work well for GitHub and GitLab. I'm sure we can get something working with Gogs as well. Bitbucket seems like a lost cause, but you never know ...
from gitness.
take a look https://github.com/blog/1957-git-2-3-has-been-released for new GIT_SSH_COMMAND
from gitness.
I am having issues with Github SSH and Drone.
Originally, I was using a deploy key from Drone on my repo and everything was peachy. However, we soon ran into a problem where we needed to clone a private repo in our npm install. I made a machine user on Github that I added the keys for on my machine and on the machine user, and added that machine user to our orgs on GH. I could clone everything just fine from the machine, all the access rights were correct.
When drone would build, however, it wouldn't pull in this key and use another key (presumably the deploy key) to try and clone this repo we were using in npm.
So I used the REST API to update the public and private keys on Drone to be that of our user, it worked properly and on the web interface it showed my repo as having that public key.
Now I can't even get Drone to clone my repo in the first place since the keys for that are now wrong, and I basically took two steps backward.
@bradrydzewski am I doing something completely wrong? I now have a broken Drone instance with no way to reset the keys. Are there any workarounds here?
from gitness.
@MattyKuzyk you can reset key pair of any of your repo via command drone set-key
. see this comment. it works for me when using latest drone cli.
from gitness.
closing in favor of #1090 which is implemented in 0.4 branch (upcoming release). We use a .netrc
file to authorize cloning the https url. This means you can go get
or npm install
other private repos
from gitness.
Hi @bradrydzewski , could you show an example of use with the .netrc
In the proyect I'm working in, I have a public repo that uses a private for build. So I'm not sure I can use this approach
also, can not find an example of use for the identity flag
thanks in advance!
from gitness.
@jgermade the netrc file is only injected into private build environments for security reasons. Exposing a netrc file or ssh key for a public repository would make it susceptible to theft by issuing a malicious pull request.
You are more than welcome to use secrets to provide a GitHub token or credentials to your build environment, but secrets won't be injected into your build environment for pull requests for the same security reasons mentioned above.
You can read more about secrets at http://readme.drone.io/usage/secrets/
from gitness.
thanks @bradrydzewski for support!!
finally got it working combining token in secret and sed replace the bower.json dependence
from gitness.
Related Issues (20)
- Cannot create repository when using an external drive HOT 3
- Drone Issue | Where is host volumes data stored in drone runner container? HOT 1
- [BUG] Pipeline runtime record label is missing
- Credentials not needed from localhost HOT 6
- step does not fail HOT 1
- Slow loading at each page refresh
- Drone does not support 3-level or above path's repositories?
- Feature: Support SurrealDB HOT 1
- [BUG] Unable to import repository from GitHub when branch name is not 'main' HOT 5
- Drone pipeline converter cache/memorizer? HOT 3
- gitness support k8s runner HOT 3
- secrets doesn't works HOT 1
- Libsql Support for HA SQLite Database HOT 1
- Can't import Github Repo to Gitness HOT 1
- feature req: radicle backend support HOT 1
- Feature Request: Support ghcr packages in addition to docker hub
- How to deloy it offline, start up fail. could not populate plugins | error=could not download remote zip: could not get zip from url: Get "https://github.com/bradrydzewski/plugins/archive/refs/heads/master.zip": unexpected EOF HOT 5
- Working example of YAML templates?
- docker git clone fatal: unable to update url base from redirection HOT 2
- Error occurred during building the project using Docker. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitness.