a year ago
Hey guys, new to nixpack and was wondering if there's a way to inject secrets into the stage commands. Here's my nixpacks.toml
[phases.install]
cmds = [
"git config --global url.'https://x-access-token:$GH_TOKEN@github.com/org/'.insteadOf 'ssh://git@github.com/org/'",
"..."
]When I replace GHTOKEN with the actual token, it works, but I can't get it to expand the variable otherwise. I have the GHTOKEN variable set globally in my railway project. Is this possible?
17 Replies
a year ago
try double quotes instead of single quotes
Not sure if this is what you mean, but I swapped it out for'git config --global url."[https://x-access-token:$GH_TOKEN@github.com/org/".insteadOf](https://x-access-token:$GH_TOKEN@github.com/org/".insteadOf) "ssh://git@github.com/org/"',
but still doesn't work
CalledProcessError
24.14
24.14 Command '['git', 'clone', '--recurse-submodules', '--', 'ssh://git@github.com/org/repo.git', '/opt/venv/src/org']' returned non-zero exit status 128.I see a Java example (https://github.com/railwayapp/nixpacks/blob/d9e651363701f2e2e20b08c7cc3e0e98eb88b656/examples/java-gradle-8/nixpacks.toml#L2) that uses an env variable, but am not sure how the Railway project variables are loaded during the build phase
a year ago
does the command work locally?
a year ago
how do you know that the issue is with the variable expansion?
I don't definitively, but it's only what I can suspect
Running the command locally with GH_TOKEN in the shell's env adds a line to gitconfig with the expanded variable. Subsequent clones work
Running the same command on Railway errors out on clone. I haven't inspected the gitconfig though (not sure how)
Running the command on Railway with the variable substituted works as well
But I'm not sure what's happening with (2) because, based on the error logs, it's not substituting at all rather than just not expanding
a year ago
what is the full error?
I'm using the python provider and it fails on the next command (I just inserted the git config before)
I get something like this, where it's installing all the packages and then
3.67 • Installing django-cors-headers (4.7.0)
23.67 • Installing django-celery-results (2.5.1)
23.67 • Installing environ (1.0)
23.67 • Installing drf-spectacular (0.28.0)
23.67 • Installing gunicorn (23.0.0)
24.14
24.14 CalledProcessError
24.14
24.14 Command '['git', 'clone', '--recurse-submodules', '--', 'ssh://git@github.com/org/repo.git', '/opt/venv/src/org']' returned non-zero exit status 128.
24.14
24.14 at ~/.nix-profile/lib/python3.13/subprocess.py:577 in run
24.15 573│ # We don't call process.wait() as .__exit__ does that for us.
24.15 574│ raise
24.15 575│ retcode = process.poll()
24.15 576│ if check and retcode:
24.15 → 577│ raise CalledProcessError(retcode, process.args,
24.15 578│ output=stdout, stderr=stderr)
24.15 579│ return CompletedProcess(process.args, retcode, stdout, stderr)
24.15 580│
24.15 581│
24.15
24.15 The following error occurred when trying to handle this error:
24.15
24.15
24.15 PoetryConsoleError
24.15
24.15 Failed to clone ssh://git@github.com/org/repo.git, check your git configuration and permissions for this repository.
24.16
24.16 at /opt/venv/lib/python3.13/site-packages/poetry/vcs/git/backend.py:226 in _clone_legacy
24.16 222│
24.16 223│ try:
24.16 224│ SystemGit.clone(url, target)
24.16 225│ except CalledProcessError:
24.16 → 226│ raise PoetryConsoleError(
24.16 227│ f"Failed to clone {url}, check your git configuration and permissions"
24.16 228│ " for this repository."
24.16 229│ )
24.16 230│
24.16a year ago
Dockerfile time!
Haha, I was thinking of making one, so maybe now's the time. You haven't seen something like this before?
a year ago
i have not
a year ago
let me know how that goes!