/heroku-buildpack-github-netrc

Heroku buildpack to access private Github repos over HTTPS without storing user/pass in your files.

Heroku buildpack: GitHub private repo access via ~/.netrc

This buildpack uses a GitHub OAuth2 token exposed as GITHUB_AUTH_TOKEN to resolve private repository URLs without putting a specific username or password in the URLs saved in local files (e.g. package.json).

See Easier builds and deployments using Git over HTTPS and OAuth and GitHub OAuth — Non-web Application Flow for more detail. Also, you may want to choose a user with read-only access.

If you use this in conjunction with the labs:pipeline feature of Heroku, you may avoid setting the GITHUB_AUTH_TOKEN environment variable on your test & prod apps, and instead only set it on the app where you push your code & which runs the buildpack.

Requirements

You'll need to make a GitHub authorization token. Here's the curl command you can use.

$ curl -u 'my-read-only-user' -d '{"scopes":["repo"],"note":"GITHUB_AUTH_TOKEN for Heroku deplyoments","note_url":"https://github.com/timshadel/heroku-buildpack-github-netrc"}' https://api.github.com/authorizations  # GitHub API call
Enter host password for user 'username':  [type password]

{
  "scopes": [
    "repo"
  ],
  "token": "your_token",
  "app": {
    "url": "http://developer.github.com/v3/oauth/#oauth-authorizations-api",
    "name": "Help example (API)"
  },
  "url": "https://api.github.com/authorizations/123456",
  "note": "GITHUB_AUTH_TOKEN for Heroku deployments.",
  "note_url": "https://github.com/timshadel/heroku-buildpack-github-netrc",
  "id": 123456,
}

This token may be revoked at any time by visiting the Applications area of your GitHub account. You'll see the note linked to the note_url and the revoke button right next to it.

You may also create a new token using the GitHub UI; follow the instructions in the GitHub OAuth help article and ensure your token has the "repo" scope.

Usage

First, make sure your app already has a buildpack set:

$ heroku buildpacks

If this does not output an existing buildpack, follow the instructions at https://devcenter.heroku.com/articles/buildpacks

Next, prepend this buildpack to your list of buildpacks, so it runs before your app is built:

$ heroku buildpacks:add -i 1 https://github.com/timshadel/heroku-buildpack-github-netrc.git

Set your GitHub auth token:

$ heroku config:set GITHUB_AUTH_TOKEN=<my-read-only-token>

Deploy your app:

$ git push heroku master  # push your changes to Heroku

...git output...

-----> Fetching custom git buildpack... done
-----> Multipack app detected
=====> Downloading Buildpack: https://github.com/timshadel/heroku-buildpack-github-netrc.git
=====> Detected Framework: github-netrc
       Generated .netrc & .curlrc files (available only at build-time)
       GitHub User:   my-read-only-user
       Authorization: GITHUB_AUTH_TOKEN for Heroku deplyoments (private repo access)
       Organizations: my-org, another-org
...