Update to use a base64 encoded key
This commit is contained in:
@@ -3,12 +3,14 @@ services:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile
|
||||
# Pass an SSH private key in as a build secret so npm can
|
||||
# authenticate against git.kadil.dev for the `goods-editor`
|
||||
# git+ssh: dependency. The secret is only available during
|
||||
# the single RUN step that mounts it; nothing about the key
|
||||
# ends up in the built image. See Dockerfile docblock for
|
||||
# the full mechanism.
|
||||
# Pass a base64-encoded SSH private key in as a build secret so
|
||||
# npm can authenticate against git.kadil.dev for the `goods-editor`
|
||||
# git+ssh: dependency. The Dockerfile decodes the base64 inside
|
||||
# the build. See Dockerfile docblock for the full mechanism and
|
||||
# the rationale for base64 over raw PEM.
|
||||
#
|
||||
# The secret is only available during the single RUN step that
|
||||
# mounts it; nothing about the key ends up in the built image.
|
||||
secrets:
|
||||
- ssh_key
|
||||
container_name: apparel-designer
|
||||
@@ -23,33 +25,32 @@ services:
|
||||
|
||||
# Build-time secret declaration.
|
||||
#
|
||||
# Two ways to provide the key, pick whichever fits where you're
|
||||
# building from:
|
||||
# The Dockerfile expects a BASE64-ENCODED private key (not the raw
|
||||
# PEM). See the Dockerfile docblock for the encoding command. Two
|
||||
# ways to provide it, pick whichever fits where you're building from:
|
||||
#
|
||||
# ── A. File-based (typical local dev / deployment server) ───────
|
||||
# Set SSH_KEY_FILE in the environment before running compose:
|
||||
# ── A. File-based (typical local dev) ──────────────────────────────
|
||||
# Encode the key to a temp file once, then point SSH_KEY_FILE at it:
|
||||
#
|
||||
# SSH_KEY_FILE=$HOME/.ssh/id_ed25519 docker compose build
|
||||
# base64 < ~/.ssh/goods-editor-deploy | tr -d '\n' > ~/.ssh/goods-editor-deploy.b64
|
||||
# SSH_KEY_FILE=$HOME/.ssh/goods-editor-deploy.b64 docker compose build
|
||||
#
|
||||
# The `file:` source below reads from that path. The fallback
|
||||
# `/dev/null` exists so `docker compose config` (validation /
|
||||
# linting) doesn't error out when the env var isn't set — actual
|
||||
# builds against /dev/null will fail with a clear "permission
|
||||
# denied" rather than a cryptic compose error.
|
||||
# The fallback `/dev/null` keeps `docker compose config` from erroring
|
||||
# when SSH_KEY_FILE isn't set; actual builds against /dev/null fail
|
||||
# with a clear base64-decode error rather than a cryptic compose error.
|
||||
#
|
||||
# ── B. Env-var-based (typical CI) ──────────────────────────────
|
||||
# ── B. Env-var-based (CI) ──────────────────────────────────────────
|
||||
# Comment out the `file:` line and uncomment `environment:` below.
|
||||
# Provide the key contents in the SSH_PRIVATE_KEY env var:
|
||||
# Provide the base64-encoded key in SSH_KEY_B64:
|
||||
#
|
||||
# SSH_PRIVATE_KEY="$(cat ~/.ssh/id_ed25519)" docker compose build
|
||||
# SSH_KEY_B64="$(base64 < ~/.ssh/goods-editor-deploy | tr -d '\n')" \
|
||||
# docker compose build
|
||||
#
|
||||
# In GitHub Actions / GitLab CI / etc., set SSH_PRIVATE_KEY from
|
||||
# the platform's secret store. The `environment:` source for build
|
||||
# secrets requires Docker Compose v2.23+.
|
||||
# Requires Docker Compose v2.23+ for the `environment:` secret source.
|
||||
secrets:
|
||||
ssh_key:
|
||||
file: ${SSH_KEY_FILE:-/dev/null}
|
||||
# environment: SSH_PRIVATE_KEY
|
||||
# environment: SSH_KEY_B64
|
||||
|
||||
volumes:
|
||||
uploads_data:
|
||||
|
||||
Reference in New Issue
Block a user