Add support for GITHUB_PAT handling with private repo dependencies #40
Conversation
…kage dependencies
|
Just added a couple more features:
|
|
Hello there, I'm just curious if this is going to be merged? I'm thinking about working on #43 and I could use this code :) |
|
@michkam89 , tagging @VincentGuyader here to get some eyes on this |
There was a problem hiding this comment.
Thank you for the proposition. It is true that locally we never faced GitHub restrictions on our tests.
However, I think you proposition could be simplified if you specify an global environment variable in your Docker build. {remotes} knows where to find it while it is specified.
I did not tested it directly, but a way to look at it is probably how to deal with ARG
R/dock_from_desc.R
Outdated
| @@ -36,7 +36,9 @@ base_pkg_ <- c( | |||
| #' @param FROM The FROM of the Dockerfile. Default is | |||
| #' FROM rocker/r-ver:`R.Version()$major`.`R.Version()$minor`. | |||
| #' @param AS The AS of the Dockerfile. Default it NULL. | |||
| #' @param sha256 character. The Digest SHA256 hash corresponding to the chip architecture of the deployment host machine if different than the machine on which the image will be built. | |||
There was a problem hiding this comment.
Could you please elaborate on this parameter sha256 ?
How is this different from direct use of:
dock_from_desc(
FROM = rocker/rver@sha256:xxxxxxxxx
)If this is really needed, could you add information on how to create it and why in a "Details" section ?
There was a problem hiding this comment.
Hey @statnmap, this is no different from the direct use as you've indicated. It's provided as an argument to prompt a user that might not know they need to specify the build architecture when the host machine is different from the build machine. I've added better documentation in a7c3658 and added the argument to docker_from_renv for parity across the two functions.
| function(dock, ver, nm, i) { | ||
| fmt <- "Rscript -e 'remotes::install_github(\"%s\")'" | ||
| if (i) | ||
| fmt <- paste("GITHUB_PAT=$GITHUB_PAT", fmt) |
There was a problem hiding this comment.
Can't we set GITHUB_PATas a global environment variable instead when building the Docker using the ARG parameter ?
You could set a ARG GITHUB_PAT=default that would be modified with build-arg.
See for instance: https://stackoverflow.com/questions/39597925/how-do-i-set-environment-variables-during-the-build-in-docker
Indeed, this would not prevent us to configure {dockerfiler} for other sources than GitHub.
At some point, we will use {attachment} to deal with other repositories sources (ThinkR-open/attachment#56)
There was a problem hiding this comment.
Hi @statnmap,
You could set a ARG GITHUB_PAT=default that would be modified with build-arg.
See for instance: https://stackoverflow.com/questions/39597925/how-do-i-set-environment-variables-during-the-build-in-docker
That actually doesn't work. The GITHUB_PAT Environment variable has to be set each time R is invoked, otherwise it's not available to the R session when installing from private repositories.
The drawback of this method (used in this PR) is it actually exposes the GITHUB_PAT in the build log. If folks are using docker.io, most images are defaulted to public visibility after upload, thus exposing the GITHUB_PAT after upload to docker.io.
I've been thinking through how best to ensure that the installation of remote private repos goes smoothly and the best way that I can think of seems to be to copy an .Renviron file with the GITHUB_PAT variable set in it to the image while the installation of packages takes place.
This could be accomplished by adding an argument that allows the user to copy the .Renviron to the image. If they opt to copy the .Renviron then the GITHUB_PAT variable is just appended. If they do not opt to copy the .Renviron file, then the .Renviron file with just the GITHUB_PAT can be removed via RUN rm .Renviron at the end of the package installation process in the Dockerfile.
What are your thoughts on this method of copying the .Renviron with the GITHUB_PAT to the image either permanently or temporarily based on user preference?
|
Hey @statnmap, thanks for the review here! I haven't had a chance to implement the changes yet but I'll have some time off over the holidays where I can hopefully get to it! |
|
Hey @statnmap , I had an opportunity to document the sha256 parameter in the preceding commits. Is there anything else? |
|
Hey @statnmap, |
Hi @VincentGuyader & @ColinFay,
This PR will eventually fix #18.
It currently only modifies
dock_from_descto add handling of theGITHUB_PATas abuild-argto enable fetching of private Github repos during docker build.A comment is included in the Dockerfile reminding the user to use the
--build-arg GITHUB_PAT=[github PAT]flag when runningdocker build.There is an info message also indicating this fact which also informs the user that using this method causes the GITHUB_PAT to be exposed in the image metadata and thus the image must be kept private if uploaded to Docker Hub.
I would appreciate feedback on this approach thus far before I implement a similar method for handling private repos on the
dock_from_renvfunction.Can y'all let me know if this is satisfactory?