Using Gitlab's deploy tokens with pak, without having git installed

[david-vicente]

I don't know if this is a Pak issue, or a gitcreds issue. So sorry in advance.

Gitlab has a feature called group deploy tokens, that you can use in a number of ways. I'm currently using them to give access to every private repo that my organization/group has on gitlab. So they are like personal access tokens, but for an organization instead.

They follow a username:password scheme, where both components are random strings. So, to have access to a repository I have to add those strings to the url like: "https://username:password@gitlab.com/groupname/reponame".

Because of this gitcreds_cache_envvar gives me GITHUB_PAT_USERNAME_AT_GITLAB_COM.

I want to be able to have

RUN R -q -e 'pak::pkg_install("gitlab::groupname/reponame")'

in a Dockerfile, and build an image without git installed.

The issue is that when Pak runs gitcreds_get, in order to be able to enter this if branch, which returns before checking for git, gitcreds_get_cache will look for the env variable GITHUB_PAT_GITLAB_COM instead of GITHUB_PAT_USERNAME_AT_GITLAB_COM.

Because of this mismatch I'm forced to install git on my image even if I'm trying to use environment variables and not depend on git-credentials stores.

---

My current Dockerfile is the following:

FROM rocker/r-ver:4

RUN apt-get -y update; apt-get -y install curl git

RUN install2.r --error --skipinstalled --ncpus -1 \
    pak \
    && rm -rf /tmp/downloaded_packages \
    && strip /usr/local/lib/R/site-library/*/libs/*.so

RUN --mount=type=secret,id=gitlab,env=GITHUB_PAT_GITLAB_COM R -q -e 'pak::pkg_install("gitlab::groupname/reponame")'

CMD ["tail", "-f", "/dev/null"]

Notice I'm passing my token as an env variable, so git shouldn't be needed. However to successfully build this image I'm forced to install git in the first RUN instruction because of this issue I'm reporting.

Passing the secret as env=GITHUB_PAT_USERNAME_AT_GITLAB_COM also doesn't work...

[gaborcsardi]

> RUN --mount=type=secret,id=gitlab,env=GITHUB_PAT_GITLAB_COM R -q -e 'pak::pkg_install("gitlab::groupname/reponame")'

This does not set any env var in the container, though, it only mounts the secret into a file so naturally pak will not know about that.

[david-vicente]

Hi @gaborcsardi, thank you for the quick reply.

You can mount a secret as file, as an env variable, or even both. If you read this reference page and this manual page, you'll see that as I'm setting the env option to GITHUB_PAT_GITLAB_COM in

--mount=type=secret,id=gitlab,env=GITHUB_PAT_GITLAB_COM

that variable will be available inside the container.

In fact the provided Dockerfile does build, which wouldn't happen if the env variable weren't defined.

[david-vicente]

I just went to check, and mounting secrets as env variables is rather recent, they added the feature on 2024-09-10.

[gaborcsardi]

Sorry for dropping the ball on this, do you still care about this issue? AFAICT gitcreds and pak (pkgdepends) use the same env var:

❯ gitcreds_cache_envvar("https://username:password@gitlab.com/groupname/reponame")
[1] "GITHUB_PAT_USERNAME_AT_GITLAB_COM"

❯ pkgdepends:::gitcreds_cache_envvar("https://username:password@gitlab.com/groupname/reponame")
[1] "GITHUB_PAT_USERNAME_AT_GITLAB_COM"

But it for you it doesn't really matter what gitcreds uses, only what pak uses, anyway.

To be honest, I still don't get what the issue is here, I'll try to create a simpler reprex.

[david-vicente]

Hi, thanks for returning to this issue. Yes I would still benefit from solving this.

I think that the root of the problem is that gitcreds_get_cache is not checking/finding the value of GITHUB_PAT_USERNAME_AT_GITLAB_COM early enough, and gitcreds_get proceeds to run check_for_git(), forcing me to have git installed on my images.

I want to not have to install git and run pak::pkg_install("gitlab::groupname/reponame"), while somehow considering a <user>:<password> token that I need to pass as an ENV variable such that docker build is able to use its secrets feature.

[gaborcsardi]

OK, got it, if that's the case then I can fix this.

[david-vicente]

In fact, if I'm understanding the logic correctly, also checking for GITHUB_PAT_GITLAB_COM before checking for git would also be beneficial, because having RUN --mount=type=secret,id=gitlab,env=GITHUB_PAT_GITLAB_COM in the dockerfile is even cleaner than having an hardcoded USERNAME in that ENV variable name. Right?