I have a private repository on Github that I want to use. I deploy my app to Heroku. How can I specify a private repository as the source on my gemfile? I imagine it wouldn't be enough to simply say
gem "mygem", :git=>"my github address"
How can I specify a gem to pull from a private github repository?
Asked Answered
As per suggestion from Heroku tech support, the easiest way to do this is by putting the username and password into the URL, as in Basic HTTP Auth, e.g.
gem 'my_gem', :git => 'https://my_username:[email protected]/my_github_account/my_repo.git', :ref => 'revision_no'
This worked for us. This is still somewhat dissatisfying as we had to put a password into the Gemfile. We dealt with this by adding a new github user account and adding that account as collaborator on the gem project. Still not foolproof security, but the impact is more narrow.
Other options I read about are to set up your own gem server or to vendor the gem.
Update 5/16/2012:
Another way to get around putting the password into the Gemfile is to put the password into an environment variable; on Heroku you do this with heroku config:add VAR=value, and then in the Gemfile you'd use this variable, e.g.:
gem 'my_gem',
:git => "https://#{ENV['var_private_gem_username']}:#{ENV['var_private_gem_password']}@github.com/my_github_account.git",
:ref => 'rev'
This is the standard on Heroku to avoid putting passwords, API keys and any credentials into the code. For local development/test, you can set these environment variables. Or, assuming your development machine is set up for SSH access to github, you won't need the credentials for local development (the SSH credentials will be in effect already). So you could set up some conditional logic:
private_repo_credentials = %w(var_private_gem_username var_private_gem_password).
map { |var| ENV[var] }.compact.join(':')
private_repo_credentials << '@' unless private_repo_credentials.empty?
# private_repo_credentials will be "" if neither var is set
# private_repo_credentials will be "username:password@" if they are set
gem 'my_gem',
:git => "https://#{private_repo_credentials}github.com/my_github_account.git",
:ref => 'rev'
I've not tested this last part. Please provide feedback.
You might also consider using Gemfury devcenter.heroku.com/articles/gemfury –
Clyburn
github has rolled out a new feature for this: github.com/blog/… –
Twoup
@WolframArnold...can we do this with unfuddle ? –
Backrest
@Backrest if Unfuddle accepts credentials via HTTP Simple Auth, e.g. https://@<username>:<password>/<url> then you should get it to work. If they don't support simple auth over HTTPS you should definitely ask for that. They may also have a custom feature, like github now, see preceding comment. –
Thorncombe
There's an issue with user-env-compile and using the ENV in Gemfile - your password / token will still be in the Gemfile.lock Any way out? –
Holoblastic
I think the answer is using github's native feature. –
Thorncombe
I'm seeing my password in the Gemfile.lock even with the ENV variables. Dangerous solution –
Lawful
Ain't this why Github has deploy keys? Shouldn't we be using those? –
Keon
Please don't do this. Don't put your credentials in the Gemfile. Even if you use environment variables, they will end up in the Gemfile.lock. See my answer below. –
Herr
The best way I've found to deploy a gem pulled from a private repo is to use GitHub's OAuth access. To do so:
Create a GitHub user with access to the repo in question (best for teams – if you're okay exposing your personal access tokens, you can simply use your own account).
Create an GitHub OAuth token for the user. It's dead simple to do this over the GitHub API just using
curl; see the OAuth API for more.Add the token to the
giturl in your Gemfile. Example:
gem 'mygem', git: 'https://xxx123abc:[email protected]/user_or_team/mygem.git'
I'm currently using this method on Heroku and it works great. The beauty is that you don't have to expose your own personal information, and you can revoke or regenerate the token at any point if something is compromised.
This worked for me. For more information on how to create the OAuth token, visit: help.github.com/articles/… –
Biquadratic
Not sure why everyone is upvoting the answer that instructs you to put your password in plaintext into version control, then deploy it to a third-party website instead of this one. –
Handclasp
You can now create personal OAuth tokens on the GitHub site: github.com/settings/tokens/new –
Vassili
This should be the accepted answer @picardo. Could you change it? –
Winnick
@Amphistylar can you update the question to use this answer instead of the one you selected? –
Evaleen
Take the time to create a new GitHub account that has nothing but read access to the Gem repo and scope the token to repo. Do not use access tokens for your own account, they will have all of your access. –
Shallot
As per suggestion from Heroku tech support, the easiest way to do this is by putting the username and password into the URL, as in Basic HTTP Auth, e.g.
gem 'my_gem', :git => 'https://my_username:[email protected]/my_github_account/my_repo.git', :ref => 'revision_no'
This worked for us. This is still somewhat dissatisfying as we had to put a password into the Gemfile. We dealt with this by adding a new github user account and adding that account as collaborator on the gem project. Still not foolproof security, but the impact is more narrow.
Other options I read about are to set up your own gem server or to vendor the gem.
Update 5/16/2012:
Another way to get around putting the password into the Gemfile is to put the password into an environment variable; on Heroku you do this with heroku config:add VAR=value, and then in the Gemfile you'd use this variable, e.g.:
gem 'my_gem',
:git => "https://#{ENV['var_private_gem_username']}:#{ENV['var_private_gem_password']}@github.com/my_github_account.git",
:ref => 'rev'
This is the standard on Heroku to avoid putting passwords, API keys and any credentials into the code. For local development/test, you can set these environment variables. Or, assuming your development machine is set up for SSH access to github, you won't need the credentials for local development (the SSH credentials will be in effect already). So you could set up some conditional logic:
private_repo_credentials = %w(var_private_gem_username var_private_gem_password).
map { |var| ENV[var] }.compact.join(':')
private_repo_credentials << '@' unless private_repo_credentials.empty?
# private_repo_credentials will be "" if neither var is set
# private_repo_credentials will be "username:password@" if they are set
gem 'my_gem',
:git => "https://#{private_repo_credentials}github.com/my_github_account.git",
:ref => 'rev'
I've not tested this last part. Please provide feedback.
For the ENV approach to work, you'll have to enable a labs addon:
heroku labs:enable user_env_compile. Unfortunately, there are still issues with matching the Gemfile.lock. –
Elver You might also consider using Gemfury devcenter.heroku.com/articles/gemfury –
Clyburn
github has rolled out a new feature for this: github.com/blog/… –
Twoup
@WolframArnold...can we do this with unfuddle ? –
Backrest
@Backrest if Unfuddle accepts credentials via HTTP Simple Auth, e.g. https://@<username>:<password>/<url> then you should get it to work. If they don't support simple auth over HTTPS you should definitely ask for that. They may also have a custom feature, like github now, see preceding comment. –
Thorncombe
There's an issue with user-env-compile and using the ENV in Gemfile - your password / token will still be in the Gemfile.lock Any way out? –
Holoblastic
I think the answer is using github's native feature. –
Thorncombe
I'm seeing my password in the Gemfile.lock even with the ENV variables. Dangerous solution –
Lawful
Ain't this why Github has deploy keys? Shouldn't we be using those? –
Keon
Please don't do this. Don't put your credentials in the Gemfile. Even if you use environment variables, they will end up in the Gemfile.lock. See my answer below. –
Herr
This question deserves a better answer since both the accepted answer and the most voted ones ARE NOT SAFE if you want to avoid putting your credentials or oauth token in the repository.
Please don't do:
gem 'my_private_gem', git: 'https://my_username:[email protected]/my_github_account/my_private_gem.git'
or
gem 'my_private_gem', git: 'https://xxx123abc:[email protected]/my_github_account/my_private_gem.git'
even if you move them as environment variables, they will still be written in your Gemfile.lock.
the correct solution is to put the following on the Gemfile:
gem 'my_private_gem', git: 'https://github.com/my_github_account/my_private_gem.git'
and configure bundler to use your oauth key via:
export MY_OAUTH_KEY=abcd
bundle config github.com $MY_OAUTH_KEY
Create the oauth key here with the repo scope.
You can now set the env variable MY_OAUTH_KEY on you machine, on the CI and on Heroku so that they can all download the gem.
On Heroku, you will set the following environment variable:
BUNDLE_GITHUB__COM: <your_oauth_key>
I didn't understand some things. In which file I need to configure the bundler? I need to set both BUNDLE_GITHUB__COM and MY_OAUTH_KEY on Heroku? –
Scrubland
On Heroku you can set the environment variable BUNDLE_GITHUB__COM with your oauth key. You can set this env variable also locally if you want –
Herr
This is best solid solution it should be accepted answer –
Intoxicate
This is the safest answer. Is there any security issues with
export MY_OAUTH_KEY=abcd, should you unset $MY_OAUTH_KEY after doing the bundle config –
Watertight For anyone trying to use GitHub's new fine-grained personal access tokens, I got this to work by adding the Contents read-only repository permission, and then you need to prefix the token with
oauth2: as described here –
Woaded I found that if I have access from my terminal to github (by uploading an ssh key to github), I can simply do:
gem 'my_gem', :git => '[email protected]:my_user/my_repo.git', :ref => 'revision_no'
without polluting my code with my git username or password
@KhoaNguyen It won't work out of the box, since the Heroku server would try to access the git repository directly. I think it may be possible to add your Heroku server's ssh key to your github repository, thus allowing this access - but I'm not sure its possible –
Jordanjordana
@gardenofwine, This approach may work if you have one or two servers on Heroku. On a larger scale, you cannot add keys from all your servers to Github. –
Isidraisidro
- Create a ssh keys
- Make sure those keys under
~/.sshdirectory - Copy content of
~/.ssh/id_rsa.pubinto https://github.com/MY_COMPANY/MY_GEM/settings/keys - In your
Gemfileuse:gem 'mygem', github: 'MY_COMPANY/MY_GEM' - run
bundle install
In addition to @seth-bro's answer, we can also use bundle config to configure the credentials using bundler, so that we need not expose the oAuth token on the Gemfile.
Syntax: bundle config github.com <your_github_oauth_token>
Refer: https://gist.github.com/sebboh/f1dfe4f096746c45f3e9ea06a09743a0 https://bundler.io/v1.16/bundle_config.html
The most secure way to do this is to configure the github personal token the following way. After you create your github personal access token by following their official documentation, do the following:
- In your local machine, do:
bundle config github.com YOUR_GITHUB_PERSONAL_TOKEN:x-oauth-basic
- In heroku, set
BUNDLE_GITHUB__COMENV variable:
BUNDLE_GITHUB__COM = YOUR_GITHUB_PERSONAL_TOKEN
You can also do this from your terminal by doing:
heroku config:set BUNDLE_GITHUB__COM=YOUR_GITHUB_PERSONAL_TOKEN
Hopefully still relevant in 2015, you can use https://github.com/siassaj/heroku-buildpack-git-deploy-keys with a deploy key from github.
This way you avoid putting the username and pass into Gemfile, which will end up as plain text in the Gemfile.lock
I found that when using the env approach and heroku labs:enable user_env_compile then there is no problem with the Gemfile.lock
© 2022 - 2024 — McMap. All rights reserved.
heroku labs:enable user_env_compile. Unfortunately, there are still issues with matching the Gemfile.lock. – Elver