Using Private Dependencies

Dependency mangagers like Bundler, Yarn, and Go's module system allow specifying dependencies from private Git repositories. This makes it easier for teams to share code without requiring separate package hosting. Authentication typically happens over SSH. It's possible manage SSH keys using Semaphore's secrets to authenticate to private Git repositories. This article walks you through the process.

Create the SSH key

You'll need to generate an SSH key and associate it directly with the project or a user who has access to that project. First, generate a new public/private key pair on your local machine:

ssh-keygen -t rsa -f id_rsa_semaphoreci

Add the SSH key

Next, connect the SSH key to the project or user. Github Deploy Keys are the easiest way to grant access to a single project. The trade-off is that you'll need to add a deploy key for all private projects. However you may re-use same key.

Another solution is to create a dedicated "ci" user, grant the "ci" user access to the relevant projects, and add the key to the user. Regardless of what you use, paste in the contents of id_rsa.semaphoreci.pub into relevant SSH key configuration on GitHub.

Create the secret

Now GitHub is configured with the public key. The next step is configure your Semaphore pipeline to use the private key. We'll use secret files for this. Use the sem CLI to create a new secret from the existing private key in id_rsa_semaphoreci on your local machine:

sem create secret private-repo --file id_rsa_semaphoreci:/home/semaphore/.keys/private-repo

This will create the file ~/.keys/private-repo in your Semaphore jobs.

Use the secret in your pipeline

The last step is to add the private-repo secret to your Semaphore pipeline. This will make the private key file available for use with ssh-add. Here's an example:

blocks:
  - name: "Test"
    task:
      secrets:
        # Mount the secret:
        - name: private-repo
      prologue:
        commands:
          # Correct premissions since they are too open by default:
          - chmod 0600 ~/.keys/*
          # Add the key to the ssh agent:
          - ssh-add ~/.keys/*
          - checkout
          # Now bundler/yarn/etc are able to pull private dependencies:
          - bundle install
      jobs:
        - name: Test
          commands:
            - rake test

That's all there is to it. You can use the approach to add more deploy keys to the private-repo secret to cover more projects and reuse the secret across other projects.

Still need help? Contact Us Contact Us