How to use Heroku config vars with GitHub to install remote private repo?

Question

I would like to remove my user name and personal access token from the package.json file in my React application.

The package being installed is a private remote GitHub repository for which I am the owner.

The request is being made over the HTTPS protocol.

E.g: "react-trello": "https://username:token@github.com/username/react-trello.git#dev/branch"

I have a PAT issued from GitHub. But I'm having trouble accessing them in the package.json file in my project.

Should I create Heroku config vars with the PAT value? heroku config:set -a my-app GITHUB-TOKEN=466ghdf57

In Heroku config you can set variable names to use with GitHub. How do I set my user name, password and token? As Heroku config variables?

E.g: USERNAME, GITHUB-USER, TOKEN, GITHUB-TOKEN.

I've tried creating variables such as USERNAME, TOKEN, GITHUB_USER. But it doesn't work if I remove my credentials from the package.json file.

E.g: "react-trello": "https://github.com/username/react-trello.git#dev/branch".

I get an error: Fatal: Could not read Username for "https://github.com".

Am I missing something?

"What are the correct Heroku config variable names to use for GitHub?"—what does this mean? Have you read [this](https://devcenter.heroku.com/articles/config-vars)? Please read [ask]. — ChrisGPT was on strike, Apr 21 '19 at 03:00

ChrisGPT was on strike · Accepted Answer · 2019-04-21T15:07:21.797

Heroku doesn't provide this out of the box, and package.json doesn't natively support environment variables.

One option is to build your dependency as an NPM packages and publish it on a private package repository, e.g. Gemfury, whose Heroku addon has a free plan supporting a single private module.

Briefly, you can publish your module to Gemfury with https://npm-proxy.fury.io/APPID/, followed by npm login and npm publish. Then, in the Heroku app that depends on your private module, add a .npmrc file containing

always-auth=true
registry=https://npm-proxy.fury.io/APPID/
//npm-proxy.fury.io/APPID/:_authToken=${FURY_AUTH}

and set a Heroku config var FURY_AUTH containing your Gemfury auth token.

This does mean you'll have to update your published library on Gemfury before the dependent application will see changes you make to it. This is probably a good idea anyway; depending on specific tagged releases is safer than depending on mutable branches.

There is also this workaround which may let you effectively inject environment variables into your package.json, but I haven't tried it.

The work around actually solved the issue. When using a private repo there was no problem getting around GitHub security. But using a public repo - the blob contains credentials of GitHub Personal Access Tokens so it won't work. Thanks Chris. — Berni, Jul 08 '19 at 20:47

How to use Heroku config vars with GitHub to install remote private repo?

1 Answers1