hydra icon indicating copy to clipboard operation
hydra copied to clipboard
verified publisher icon NixOS

Allow fetching private github repositories with an authorization token

Open expipiplus1 opened this issue 9 years ago • 6 comments

It would be nice to have a single place in the configuration where a github token could be declared rather than having to specify fetch urls with username:password in them, and tokens elsewhere.

expipiplus1 avatar Jun 12 '16 11:06 expipiplus1

The procedure for this is quite simple: git clone https://[email protected]/owner/repo.git

What would be the best way of specifying to Hydra that it should attempt a clone like this though?

expipiplus1 avatar Jun 12 '16 19:06 expipiplus1

Is still still wip or is there a different solution, maybe with deploy keys ?

rsoeldner avatar Apr 27 '18 14:04 rsoeldner

i have made this work before by just doing:

sudo -u hydra -i
ssh-keygen

then giving that key (which must lack a passphrase) access to a dummy github account, that has read-only access to the project and then using a [email protected]:owner/project url in the inputs of a jobset

cleverca22 avatar Apr 28 '18 00:04 cleverca22

If you add an access-tokens entry for GitHub to Hydra's /etc/nix/nix.conf, it can access whatever you configure the personal access token (PAT) to access.

ryantm avatar Jun 07 '23 16:06 ryantm

Hello I'm trying to build a flake in a private repo. I added the github personal access token (classic) to nix.conf file. If I start the evaluation from the command line using "hydra-eval-jobset project_name jobset_name" the evaluation is completed successfully retrieving the latest commit form the rope. From the web interface instead, the evaluation works only if the repo is public. If I then set it private, hydra always uses the old public commit ignoring the new ones.

it seems that when the evaluation is run form command line the fakeRef is correctly updated to the newest url using flake metadata:

my $flakeRef = $jobset->flake;
    if (defined $flakeRef) {
        (my $res, my $json, my $stderr) = captureStdoutStderr(
            600, "nix", "flake", "metadata", "--refresh", "--json", "--", $flakeRef);
        die "'nix flake metadata' returned " . ($res & 127 ? "signal $res" : "exit code " . ($res >> 8))
            . ":\n" . ($stderr ? decode("utf-8", $stderr) : "(no output)\n")
            if $res;
        $flakeRef = decode_json($json)->{'url'};
    }

while when the evaluation is triggered automatically, after the check interval, it is getting the flake url from somewhere else, but I'm not able to figure out where and how. Thansk

Tommixe avatar Feb 11 '24 15:02 Tommixe

Found the issue. hydra-eval-jobset is run by hydra users. The github personal access token (classic) in nix.conf was added using a sops secrets, but I didn't make the secret readable by hydra user. Fix the read permission solved the problem.

Tommixe avatar Feb 17 '24 13:02 Tommixe