1

App structure (Python FastAPI):

-my_app
  -server.py
  -Procfile
  -requirements.txt

In order to install a private git repo required by my Heroku app, I added the following line to my requirements.txt:

git+https://<github-token>@github.com/me/my-private-repo.git

However on pushing, Github emailed me to say that since I had exposed my token in a commit it had revoked the token. (My app repo is private.) Totally fair! However, my Heroku build now fails, since it prompts for a password when attempting to install the private repo.

I've searched SO/the internet many times re: private repos, but have always come across conflicting suggestions.

Would be grateful to hear what is best practice in this case, for safely installing a private repo in an automated build.

What I've tried so far:

  • git+git://username:password@github.com/me/myrepo.git instead of token obviously has the same issue
  • git+ssh://git@github.com/me/myrepo.git - yields error Host key verification failed.
  • Store username:password (or token) as Heroku environment variables - seems from here that this isn't possible with pip

To expand on the ssh option, the following work on my local machine:

  • pip3 install git+ssh://git@github.com/me/my_private-repo.git
  • git clone https://github.com/me/my_private-repo.git

However when my requirements.txt contains git+ssh://git@github.com/me/my_private-repo.git, my Heroku build returns Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.

Josh Friedlander
  • 10,870
  • 5
  • 35
  • 75
  • Which one of those conflicting suggestions did you try and why they don't satisfy you? – phd Jun 07 '20 at 10:24
  • expanded the question to include this – Josh Friedlander Jun 07 '20 at 11:35
  • `Host key verification failed.` can be [easily fixed](https://stackoverflow.com/a/13364116/7976758): `ssh-keygen -R github.com; ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts`. https://stackoverflow.com/search?q=%5Bssh%5D+Host+key+verification+failed – phd Jun 07 '20 at 11:57

1 Answers1

6

Finally got it to work. I'm indebted to Michel Blancard's answer and associated gist, and Bo Jeanes' custom buidpack:

In requirements.txt:

git+ssh://git@github.com/me/my-private-repo.git

Convert my private SSH key to the (old) PEM format for Heroku(!):

ssh-keygen  -f ~/.ssh/id_rsa -m PEM -p

(Credit due to this answer)

Add private SSH key as Heroku variable:

heroku config:set BUILDPACK_SSH_KEY="$(cat ~/.ssh/id_rsa)"

Add this custom buildpack to run before the Python buildpack which enables a private SSH key:

heroku buildpacks:add --index 1 https://github.com/heroku/heroku-buildpack-ssh-key.git

Deploy!

jperezmartin
  • 407
  • 4
  • 19
Josh Friedlander
  • 10,870
  • 5
  • 35
  • 75
  • 2
    The original buildpack is unmaintained now, use the one on the heroku org: https://github.com/heroku/heroku-buildpack-ssh-key, docs: https://elements.heroku.com/buildpacks/heroku/heroku-buildpack-ssh-key – Honza Javorek Nov 02 '20 at 12:22