source.json interpolation with environment variables

Question

source.json interpolation with environment variables

yaitskov opened this issue 3 years ago · 5 comments

I spent a few days of integrating a cascade of CI for several projects on gitlab.

The issue is ssh authentication. Every git repo is private.
gitlab has a hack - special user with token.

so if sources.json instead of:

{
 "private-dep": {
   "branch": "master",
   "repo": "ssh://git@gitlab.com/company/private-dep.git",
   "rev": "ed73d970fd13b009ca5829f6b8c1c936c7221032",
   "type": "git"
 },

would contain following:

"repo": "ssh://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/company/private-dep.git",

then there is no hassle with ssh keys at all.

Some expression language (mustache?) supporting environment variables would help here a lot.

"repo": "ssh://git$([ -n "$CI_JOB_TOKEN ] && echo "lab-ci-token:$CI_JOB_TOKEN)@gitlab.com/company/private-dep.git",

Answer 1 · 2021-06-04T12:42:46.000Z

That sounds like a good idea. Maybe we can even unify this with the "template" feature used in e.g. URL templates (where <foo> in a string is replaced with the value of the foo attribute).

Answer 2 · 2021-08-14T09:41:22.000Z

Some expression language (mustache?) supporting environment variables would help here a lot.

I would be hesitant to bring any expression language during the nix evaluation. It would add that language as a dependency to every niv user.

Then the next idea is implement the interpreter for the expression language in nix itself. That seems like a project in itself.

My proposal to solve this problem would be to add a system of mirror to niv and upgrade the template feature to support environment variable.
In you case, the first mirror would be the regular url ssh://git@gitlab.com/company/private-dep.git and the second would be to modified url for the gitlab-ci ssh://gitlab-ci-token:<CI_JOB_TOKEN>@gitlab.com/company/private-dep.git.
The biggest uncertainty of this approach is that we need to change each fetchers to support mirrors since I don't think we can do it generically in nix.

Answer 3 · 2021-08-14T11:21:17.000Z

Specifically for HTTP fetches, libcurl reads the user's ~/.netcrc file for basic auth type credentials. Maybe Git is also respecting that file?

I'm thinking in terms of addressing the underlying issue.

Answer 4 · 2021-08-15T12:49:24.000Z

Yes, git does respect netrc

On Sat, 14 Aug 2021 at 12:21, Jonas Chevalier ***@***.***> wrote: Specifically for HTTP fetches, libcurl reads the user's ~/.netcrc file for basic auth type credentials. Maybe Git is also respecting that file? I'm thinking in terms of addressing the underlying issue. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#321 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACQTQP43MZV4ELQRWHTNETT4ZGTRANCNFSM45MDPAHA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

-- Adrian Gierakowski

Answer 5 · 2024-08-31T11:03:38.000Z

What about other https mirrors that need authentication in the form of cookies?