From d7194f161d9207366e8cd6b92532f60a91ae816a Mon Sep 17 00:00:00 2001 From: Tom Chauveau Date: Wed, 25 Aug 2021 17:41:06 +0200 Subject: [PATCH 1/4] Add secret management to `op.#FetchGit` operation to fetch private repository - Update `op.cue` to support secrets - Update `pipeline.go` to use authTokenSecret & authHeaderSecret Signed-off-by: Tom Chauveau --- environment/pipeline.go | 48 +++++++++++++++++++++++++++-------------- stdlib/dagger/op/op.cue | 4 ++-- 2 files changed, 34 insertions(+), 18 deletions(-) diff --git a/environment/pipeline.go b/environment/pipeline.go index ceea712f..ff947a0b 100644 --- a/environment/pipeline.go +++ b/environment/pipeline.go @@ -494,17 +494,11 @@ func (p *Pipeline) mount(ctx context.Context, dest string, mnt *compiler.Value) } // eg. mount: "/foo": secret: mysecret if secret := mnt.Lookup("secret"); secret.Exists() { - if !secret.HasAttr("secret") { - return nil, fmt.Errorf("invalid secret %q: not a secret", secret.Path().String()) - } - idValue := secret.Lookup("id") - if !idValue.Exists() { - return nil, fmt.Errorf("invalid secret %q: no id field", secret.Path().String()) - } - id, err := idValue.String() + id, err := getSecretID(secret) if err != nil { - return nil, fmt.Errorf("invalid secret id: %w", err) + return nil, err } + return llb.AddSecret(dest, llb.SecretID(id), llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask) @@ -779,6 +773,21 @@ func (p *Pipeline) PushContainer(ctx context.Context, op *compiler.Value, st llb return st, err } +func getSecretID(secretField *compiler.Value) (string, error) { + if !secretField.HasAttr("secret") { + return "", fmt.Errorf("invalid secret %q: not a secret", secretField.Path().String()) + } + idValue := secretField.Lookup("id") + if !idValue.Exists() { + return "", fmt.Errorf("invalid secret %q: no id field", secretField.Path().String()) + } + id, err := idValue.String() + if err != nil { + return "", fmt.Errorf("invalid secret id: %w", err) + } + return id, nil +} + func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.State) (llb.State, error) { remote, err := op.Lookup("remote").String() if err != nil { @@ -796,9 +805,7 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat gitOpts := []llb.GitOption{} var opts struct { - AuthTokenSecret string - AuthHeaderSecret string - KeepGitDir bool + KeepGitDir bool } if err := op.Decode(&opts); err != nil { @@ -808,11 +815,20 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat if opts.KeepGitDir { gitOpts = append(gitOpts, llb.KeepGitDir()) } - if opts.AuthTokenSecret != "" { - gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthTokenSecret)) + // Secret + if authTokenSecret := op.Lookup("authTokenSecret"); authTokenSecret.Exists() { + id, err := getSecretID(authTokenSecret) + if err != nil { + return st, err + } + gitOpts = append(gitOpts, llb.AuthTokenSecret(id)) } - if opts.AuthHeaderSecret != "" { - gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthHeaderSecret)) + if authHeaderSecret := op.Lookup("authHeaderSecret"); authHeaderSecret.Exists() { + id, err := getSecretID(authHeaderSecret) + if err != nil { + return st, err + } + gitOpts = append(gitOpts, llb.AuthHeaderSecret(id)) } gitOpts = append(gitOpts, llb.WithCustomName(p.vertexNamef("FetchGit %s@%s", remoteRedacted, ref))) diff --git a/stdlib/dagger/op/op.cue b/stdlib/dagger/op/op.cue index 44c2f7dd..3ca37b04 100644 --- a/stdlib/dagger/op/op.cue +++ b/stdlib/dagger/op/op.cue @@ -87,8 +87,8 @@ package op ref: string keepGitDir?: bool // FIXME: the two options are currently ignored until we support buildkit secrets - authTokenSecret?: string | bytes - authHeaderSecret?: string | bytes + authTokenSecret?: _ @dagger(secret) + authHeaderSecret?: _ @dagger(secret) } #FetchHTTP: { From a987d1dc341ed9d99e043521c87507ce2efdcfe5 Mon Sep 17 00:00:00 2001 From: Tom Chauveau Date: Wed, 25 Aug 2021 17:41:43 +0200 Subject: [PATCH 2/4] Add test on `op.#FetchGit` for private repository Signed-off-by: Tom Chauveau --- stdlib/.dagger/env/op-fetch-git/.gitignore | 2 ++ stdlib/.dagger/env/op-fetch-git/values.yaml | 26 +++++++++++++++++++ .../dagger/op/tests/fetch-git/fetch-git.cue | 22 ++++++++++++++++ stdlib/universe.bats | 4 +++ 4 files changed, 54 insertions(+) create mode 100644 stdlib/.dagger/env/op-fetch-git/.gitignore create mode 100644 stdlib/.dagger/env/op-fetch-git/values.yaml create mode 100644 stdlib/dagger/op/tests/fetch-git/fetch-git.cue diff --git a/stdlib/.dagger/env/op-fetch-git/.gitignore b/stdlib/.dagger/env/op-fetch-git/.gitignore new file mode 100644 index 00000000..01ec19b0 --- /dev/null +++ b/stdlib/.dagger/env/op-fetch-git/.gitignore @@ -0,0 +1,2 @@ +# dagger state +state/** diff --git a/stdlib/.dagger/env/op-fetch-git/values.yaml b/stdlib/.dagger/env/op-fetch-git/values.yaml new file mode 100644 index 00000000..6f52cd47 --- /dev/null +++ b/stdlib/.dagger/env/op-fetch-git/values.yaml @@ -0,0 +1,26 @@ +plan: + package: ./dagger/op/tests/fetch-git +name: op-fetch-git +inputs: + TestPAT: + secret: ENC[AES256_GCM,data:4rBqMc8jbs0mIl2tqxZZu6xhKWq1zb4Zmdd4eobZxmT5xkeVJM94KA==,iv:xj6wu5amzCACh8vvBbtqYK8MLsFvoFIYe2wsDLhbzhc=,tag:ZCInVlyCr41MfV9W9SK5iw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjYUh0WC8yTEtaK2VlZEU4 + c1pCTUNFWWt3WE5GSzZPU1VuWnVQWHMyWTF3CnVRN0ovd2tWUlU0Q1BneEEyQm9s + Rm9TNGVVK3g5aVJUOGNYRzdxbERnNUUKLS0tIDRvTlU2eUozZy9jYzFqOHB6SzNE + NnhoNTZYQVJBV1FKUHI1aWJZTnc0bEkKBNxuA26mtiAznfuGbLcqeIxvgg9kLjBl + ZofKLWu33k7aUQJADAEKoFD7B0B502LtQRMLk94ObzdhdLxl1F3JNA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-08-25T15:03:39Z" + mac: ENC[AES256_GCM,data:IwMHAYejWYenT9KCSSBQhQcRMS+6EJBwDlmP1iWBNs41sbFMSvLabRsh1QHfgN8IYMc02XSii3PM8nDW44CG3s2PYaejEbS0/Q4OnqDFWjW3oyaDxS5/4OvJALV5JWSyQYAItepI1B/M6vL8nXS8lUxxuythX5jyEq9LTGfB608=,iv:8ecze6Fz8BSnENS6cXTpZ6s5zAQMsnb3yqvCjDvwhMc=,tag:iHi/g9K8GX9hrJGN2oq7Jg==,type:str] + pgp: [] + encrypted_suffix: secret + version: 3.7.1 diff --git a/stdlib/dagger/op/tests/fetch-git/fetch-git.cue b/stdlib/dagger/op/tests/fetch-git/fetch-git.cue new file mode 100644 index 00000000..3b20bba0 --- /dev/null +++ b/stdlib/dagger/op/tests/fetch-git/fetch-git.cue @@ -0,0 +1,22 @@ +package op + +import ( + "alpha.dagger.io/os" + "alpha.dagger.io/dagger" + "alpha.dagger.io/dagger/op" +) + +// Github PAT +TestPAT: dagger.#Input & {dagger.#Secret} + +TestRepo: #up: [op.#FetchGit & { + remote: "https://github.com/dagger/dagger.git" + ref: "main" + authTokenSecret: TestPAT +}] + +TestContent: os.#Container & { + always: true + command: "ls -l /input/repo | grep 'universe -> stdlib'" + mount: "/input/repo": from: TestRepo +} diff --git a/stdlib/universe.bats b/stdlib/universe.bats index ddc2379b..153e64ba 100644 --- a/stdlib/universe.bats +++ b/stdlib/universe.bats @@ -8,6 +8,10 @@ setup() { dagger -e sanity-check up } +@test "op-fetch-git" { + # This test should be in `tests/ops.bats` but dagger compute doesn't handle `dagger.#Secret` + dagger -e op-fetch-git up +} @test "os" { dagger -e os up From 3b0e3f6919a21a50127097d30b8ca561004a9590 Mon Sep 17 00:00:00 2001 From: Guillaume de Rouville Date: Thu, 26 Aug 2021 12:14:17 +0200 Subject: [PATCH 3/4] Move private repository tests + implement env helper function Signed-off-by: Guillaume de Rouville --- stdlib/universe.bats | 5 ---- tests/helpers.bash | 7 +++++ tests/ops.bats | 4 +++ .../.dagger/env/op-fetch-git/.gitignore | 2 ++ .../.dagger/env/op-fetch-git/values.yaml | 26 +++++++++++++++++++ .../fetch-git/private-repo/cue.mod/module.cue | 1 + .../private-repo/cue.mod/pkg/.gitignore | 2 ++ .../ops/fetch-git/private-repo}/fetch-git.cue | 0 8 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 tests/ops/fetch-git/private-repo/.dagger/env/op-fetch-git/.gitignore create mode 100644 tests/ops/fetch-git/private-repo/.dagger/env/op-fetch-git/values.yaml create mode 100644 tests/ops/fetch-git/private-repo/cue.mod/module.cue create mode 100644 tests/ops/fetch-git/private-repo/cue.mod/pkg/.gitignore rename {stdlib/dagger/op/tests/fetch-git => tests/ops/fetch-git/private-repo}/fetch-git.cue (100%) diff --git a/stdlib/universe.bats b/stdlib/universe.bats index 153e64ba..68b7136f 100644 --- a/stdlib/universe.bats +++ b/stdlib/universe.bats @@ -8,11 +8,6 @@ setup() { dagger -e sanity-check up } -@test "op-fetch-git" { - # This test should be in `tests/ops.bats` but dagger compute doesn't handle `dagger.#Secret` - dagger -e op-fetch-git up -} - @test "os" { dagger -e os up } diff --git a/tests/helpers.bash b/tests/helpers.bash index 9bbd96e0..c522faf3 100644 --- a/tests/helpers.bash +++ b/tests/helpers.bash @@ -26,6 +26,13 @@ dagger_new_with_plan() { "$DAGGER" new "$name" } +dagger_new_with_env() { + local sourcePlan="$1" + + "$DAGGER" init -w "$DAGGER_WORKSPACE" + rsync -av "$sourcePlan"/ "$DAGGER_WORKSPACE" +} + # dagger helper to execute the right binary dagger() { "${DAGGER}" "$@" diff --git a/tests/ops.bats b/tests/ops.bats index f2f21b59..b139dc81 100644 --- a/tests/ops.bats +++ b/tests/ops.bats @@ -108,6 +108,10 @@ setup() { run "$DAGGER" compute "$TESTDIR"/ops/fetch-git/gitdir assert_success + dagger_new_with_env "$TESTDIR"/ops/fetch-git/private-repo + run "$DAGGER" up -e op-fetch-git + assert_success + # FIXME: distinguish missing inputs from incorrect config # run "$DAGGER" compute "$TESTDIR"/ops/fetch-git/invalid # assert_failure diff --git a/tests/ops/fetch-git/private-repo/.dagger/env/op-fetch-git/.gitignore b/tests/ops/fetch-git/private-repo/.dagger/env/op-fetch-git/.gitignore new file mode 100644 index 00000000..01ec19b0 --- /dev/null +++ b/tests/ops/fetch-git/private-repo/.dagger/env/op-fetch-git/.gitignore @@ -0,0 +1,2 @@ +# dagger state +state/** diff --git a/tests/ops/fetch-git/private-repo/.dagger/env/op-fetch-git/values.yaml b/tests/ops/fetch-git/private-repo/.dagger/env/op-fetch-git/values.yaml new file mode 100644 index 00000000..6931f4c3 --- /dev/null +++ b/tests/ops/fetch-git/private-repo/.dagger/env/op-fetch-git/values.yaml @@ -0,0 +1,26 @@ +plan: + package: . +name: op-fetch-git +inputs: + TestPAT: + secret: ENC[AES256_GCM,data:TVMwgMe+Q/BzQ/rxKIr9lRPuu2FpVQXppufy33lWQ8An+c9cTSVLCQ==,iv:Xpe54Llfcu1aTWkzNxUtcRrrqIlI/i4pdshOCVKeREY=,tag:Ugwzcpmddzhq62gPKpAkkQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoamxhWnpyQzJRcE9TRldj + Rmd6eHV5TnpReENzNHI3MFZRZWpqaGJoRzFjClMyQW1raVNiSU84blhhSzRja01F + cjVpVmxJS1o0NEdlTXYvQ290Rjdma0kKLS0tIDkrTjRHTEtaaDY2QzhBaVJYRjhn + OXA2TkFjYlVNMFFEblA2MUZRWVB3T3MKhunM53KD+jGvdAInPbr+N6YrpirLIp4V + seb6c4bryHPL+zZWSX1H04sCWgGOypLfYq/fUyPOunbs/b+AWn8chw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-08-26T09:34:51Z" + mac: ENC[AES256_GCM,data:JUo5COutVZMqJN2UNhqL842hhGsMdCLOFFo5g4HDFMQLG3M1iQ2M0i8AjnAlPGMukNoF3qr/rTf6FCNdpeXc/oXiOM+q0w9xp+jGup5uplhXUWw+au4YHXbSezxCVtmKCRIzkDBiN5x2zKLg7qBzsqKdzyeBiBI/QAPCoXuTk4g=,iv:m4GKvZ8g4dniAbTnUO+wjZlYx6uCJcCwkanoAzjciuY=,tag:vUUHFcGg5OIjDHeI0B+RGw==,type:str] + pgp: [] + encrypted_suffix: secret + version: 3.7.1 diff --git a/tests/ops/fetch-git/private-repo/cue.mod/module.cue b/tests/ops/fetch-git/private-repo/cue.mod/module.cue new file mode 100644 index 00000000..f8af9cef --- /dev/null +++ b/tests/ops/fetch-git/private-repo/cue.mod/module.cue @@ -0,0 +1 @@ +module: "" diff --git a/tests/ops/fetch-git/private-repo/cue.mod/pkg/.gitignore b/tests/ops/fetch-git/private-repo/cue.mod/pkg/.gitignore new file mode 100644 index 00000000..a572e9ee --- /dev/null +++ b/tests/ops/fetch-git/private-repo/cue.mod/pkg/.gitignore @@ -0,0 +1,2 @@ +# dagger universe +alpha.dagger.io diff --git a/stdlib/dagger/op/tests/fetch-git/fetch-git.cue b/tests/ops/fetch-git/private-repo/fetch-git.cue similarity index 100% rename from stdlib/dagger/op/tests/fetch-git/fetch-git.cue rename to tests/ops/fetch-git/private-repo/fetch-git.cue From 08f395b70da168ba35cbd64099fbade7f1550e7f Mon Sep 17 00:00:00 2001 From: Guillaume de Rouville Date: Thu, 26 Aug 2021 16:12:14 +0200 Subject: [PATCH 4/4] Add auth to Git.#Repository Signed-off-by: Guillaume de Rouville --- docs/reference/universe/git.md | 2 ++ environment/pipeline.go | 8 +++--- stdlib/.dagger/env/git/values.yaml | 7 +++-- stdlib/.dagger/env/op-fetch-git/.gitignore | 2 -- stdlib/.dagger/env/op-fetch-git/values.yaml | 26 ------------------- stdlib/dagger/op/op.cue | 4 +-- stdlib/git/git.cue | 18 ++++++++++--- stdlib/git/tests/git.cue | 25 +++++++++++++++++- .../ops/fetch-git/private-repo/fetch-git.cue | 6 ++--- 9 files changed, 55 insertions(+), 43 deletions(-) delete mode 100644 stdlib/.dagger/env/op-fetch-git/.gitignore delete mode 100644 stdlib/.dagger/env/op-fetch-git/values.yaml diff --git a/docs/reference/universe/git.md b/docs/reference/universe/git.md index 956a4125..f9107ac7 100644 --- a/docs/reference/universe/git.md +++ b/docs/reference/universe/git.md @@ -37,6 +37,8 @@ A git repository |*remote* | `string` |Git remote. Example: `"https://github.com/dagger/dagger"` | |*ref* | `string` |Git ref: can be a commit, tag or branch. Example: "main" | |*subdir* | `*null \| string` |(optional) Subdirectory | +|*authToken* | `dagger.#Secret` |(optional) Add Personal Access Token | +|*authHeader* | `dagger.#Secret` |(optional) Add OAuth Token | ### git.#Repository Outputs diff --git a/environment/pipeline.go b/environment/pipeline.go index ff947a0b..0d9dbb92 100644 --- a/environment/pipeline.go +++ b/environment/pipeline.go @@ -816,15 +816,15 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat gitOpts = append(gitOpts, llb.KeepGitDir()) } // Secret - if authTokenSecret := op.Lookup("authTokenSecret"); authTokenSecret.Exists() { - id, err := getSecretID(authTokenSecret) + if authToken := op.Lookup("authToken"); authToken.Exists() { + id, err := getSecretID(authToken) if err != nil { return st, err } gitOpts = append(gitOpts, llb.AuthTokenSecret(id)) } - if authHeaderSecret := op.Lookup("authHeaderSecret"); authHeaderSecret.Exists() { - id, err := getSecretID(authHeaderSecret) + if authHeader := op.Lookup("authHeader"); authHeader.Exists() { + id, err := getSecretID(authHeader) if err != nil { return st, err } diff --git a/stdlib/.dagger/env/git/values.yaml b/stdlib/.dagger/env/git/values.yaml index fc35aff2..164b56f2 100644 --- a/stdlib/.dagger/env/git/values.yaml +++ b/stdlib/.dagger/env/git/values.yaml @@ -1,6 +1,9 @@ plan: package: ./git/tests name: git +inputs: + TestPAT: + secret: ENC[AES256_GCM,data:7s1tSIpIDNBhAFupdjb7KtPbjKrCd5tXupr3RQF2N3Xu5XGuTZMgoQ==,iv:I+SVYLnjgMffvNg6BMB6m1lj+VVH5sDK0aIEAWPcyLY=,tag:TcfJ6LVps8dXVZGZy3T2ew==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +19,8 @@ sops: TmhJNisyamw3d244aGVJSEVFVUVLZGsKvd+nowA0CLXQbdvyI4J0lBjs9vdISWlo gGvR49uul3Z8raVWXFUzsyQ8xTvYNg0ovynFG2KdagSKr1DlhKMBEQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2021-07-08T09:54:31Z" - mac: ENC[AES256_GCM,data:pFrhyJQLJ1zQJmXQWQtmkeraiTHCKvOEr+TVgYQ6EZsei+dL+VUVWDgeHLkonxwh9eBPyAtB1cfxPc+1xVnMCqmFPVZMZ0P+CNgaOTcHk38UzOHyCcjw18AjROuEYffat8XbmjwKaSX+XRvMiC53BTrZkXt6os7hfikrySEot3A=,iv:W9S+qlvAB3gXFhUTpE17Fm/lQK6DTo7mmdzL3LjCVWQ=,tag:/fETJit+AXZ/OjIjz0TPhA==,type:str] + lastmodified: "2021-08-26T13:44:11Z" + mac: ENC[AES256_GCM,data:ttmpbzhrVFEGh/oJF4TtMvf99rutPBbzp9cIaqakIl+5nxqOkuAakgvf7IIMBG235zdyMvIXZZh6NLYG51PZA1hKNMg5Pqqba9GOSvFCHasWzNJ3pi5SLBGD02ivDfkSMbEHeOCUhnG1X4LxkYL9j+fb4tQt1Btv1hiIAcIa+eY=,iv:WxuW+0yJYtNqAB0y1nji9c3lzn4Pftir8uZojcdphng=,tag:yvcIJxkuqOmCfXoyEnGWow==,type:str] pgp: [] encrypted_suffix: secret version: 3.7.1 diff --git a/stdlib/.dagger/env/op-fetch-git/.gitignore b/stdlib/.dagger/env/op-fetch-git/.gitignore deleted file mode 100644 index 01ec19b0..00000000 --- a/stdlib/.dagger/env/op-fetch-git/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -# dagger state -state/** diff --git a/stdlib/.dagger/env/op-fetch-git/values.yaml b/stdlib/.dagger/env/op-fetch-git/values.yaml deleted file mode 100644 index 6f52cd47..00000000 --- a/stdlib/.dagger/env/op-fetch-git/values.yaml +++ /dev/null @@ -1,26 +0,0 @@ -plan: - package: ./dagger/op/tests/fetch-git -name: op-fetch-git -inputs: - TestPAT: - secret: ENC[AES256_GCM,data:4rBqMc8jbs0mIl2tqxZZu6xhKWq1zb4Zmdd4eobZxmT5xkeVJM94KA==,iv:xj6wu5amzCACh8vvBbtqYK8MLsFvoFIYe2wsDLhbzhc=,tag:ZCInVlyCr41MfV9W9SK5iw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjYUh0WC8yTEtaK2VlZEU4 - c1pCTUNFWWt3WE5GSzZPU1VuWnVQWHMyWTF3CnVRN0ovd2tWUlU0Q1BneEEyQm9s - Rm9TNGVVK3g5aVJUOGNYRzdxbERnNUUKLS0tIDRvTlU2eUozZy9jYzFqOHB6SzNE - NnhoNTZYQVJBV1FKUHI1aWJZTnc0bEkKBNxuA26mtiAznfuGbLcqeIxvgg9kLjBl - ZofKLWu33k7aUQJADAEKoFD7B0B502LtQRMLk94ObzdhdLxl1F3JNA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2021-08-25T15:03:39Z" - mac: ENC[AES256_GCM,data:IwMHAYejWYenT9KCSSBQhQcRMS+6EJBwDlmP1iWBNs41sbFMSvLabRsh1QHfgN8IYMc02XSii3PM8nDW44CG3s2PYaejEbS0/Q4OnqDFWjW3oyaDxS5/4OvJALV5JWSyQYAItepI1B/M6vL8nXS8lUxxuythX5jyEq9LTGfB608=,iv:8ecze6Fz8BSnENS6cXTpZ6s5zAQMsnb3yqvCjDvwhMc=,tag:iHi/g9K8GX9hrJGN2oq7Jg==,type:str] - pgp: [] - encrypted_suffix: secret - version: 3.7.1 diff --git a/stdlib/dagger/op/op.cue b/stdlib/dagger/op/op.cue index 3ca37b04..81adc6e5 100644 --- a/stdlib/dagger/op/op.cue +++ b/stdlib/dagger/op/op.cue @@ -87,8 +87,8 @@ package op ref: string keepGitDir?: bool // FIXME: the two options are currently ignored until we support buildkit secrets - authTokenSecret?: _ @dagger(secret) - authHeaderSecret?: _ @dagger(secret) + authToken?: _ @dagger(secret) + authHeader?: _ @dagger(secret) } #FetchHTTP: { diff --git a/stdlib/git/git.cue b/stdlib/git/git.cue index ee852ee8..8a12177d 100644 --- a/stdlib/git/git.cue +++ b/stdlib/git/git.cue @@ -11,18 +11,24 @@ import ( #Repository: { // Git remote. // Example: `"https://github.com/dagger/dagger"` - remote: string & dagger.#Input + remote: dagger.#Input & {string} // Git ref: can be a commit, tag or branch. // Example: "main" - ref: string & dagger.#Input + ref: dagger.#Input & {string} // (optional) Subdirectory - subdir: *null | string & dagger.#Input + subdir: dagger.#Input & {*null | string} // (optional) Keep .git directory keepGitDir: *false | bool + // (optional) Add Personal Access Token + authToken: dagger.#Input & {*null | dagger.#Secret} + + // (optional) Add OAuth Token + authHeader: dagger.#Input & {*null | dagger.#Secret} + #up: [ op.#FetchGit & { "remote": remote @@ -30,6 +36,12 @@ import ( if (keepGitDir) { keepGitDir: true } + if (authToken != null) { + "authToken": authToken + } + if (authHeader != null) { + "authHeader": authHeader + } }, if subdir != null { op.#Subdir & { diff --git a/stdlib/git/tests/git.cue b/stdlib/git/tests/git.cue index f266223a..3f00ca4b 100644 --- a/stdlib/git/tests/git.cue +++ b/stdlib/git/tests/git.cue @@ -3,8 +3,9 @@ package git import ( "strings" - "alpha.dagger.io/git" "alpha.dagger.io/alpine" + "alpha.dagger.io/dagger" + "alpha.dagger.io/git" "alpha.dagger.io/os" ) @@ -74,3 +75,25 @@ TestCurrentTags: os.#Container & { [ $TAGS = "0=master" ] """ } + +// Test fetching a private repo +TestPAT: dagger.#Input & {dagger.#Secret} + +privateRepo: git.#Repository & { + remote: "https://github.com/dagger/dagger.git" + ref: "main" + keepGitDir: true + authToken: TestPAT +} + +TestPrivateRepository: os.#Container & { + image: alpine.#Image & { + package: bash: "=5.1.0-r0" + package: git: true + } + mount: "/repo1": from: privateRepo + dir: "/repo1" + command: """ + [ -d .git ] + """ +} diff --git a/tests/ops/fetch-git/private-repo/fetch-git.cue b/tests/ops/fetch-git/private-repo/fetch-git.cue index 3b20bba0..241df10f 100644 --- a/tests/ops/fetch-git/private-repo/fetch-git.cue +++ b/tests/ops/fetch-git/private-repo/fetch-git.cue @@ -10,9 +10,9 @@ import ( TestPAT: dagger.#Input & {dagger.#Secret} TestRepo: #up: [op.#FetchGit & { - remote: "https://github.com/dagger/dagger.git" - ref: "main" - authTokenSecret: TestPAT + remote: "https://github.com/dagger/dagger.git" + ref: "main" + authToken: TestPAT }] TestContent: os.#Container & {