What is the preferred way to install private github repos as node modules?

I have a pipeline that runs my mocha tests, and needs to do an NPM install in order to do it. Up until this point all of our NPM packages have been public, so there’s no problem with this step.

However we are creating internal packages within our company that will remain private. During npm install, buddy fails due to the fact that it doesn’t have permission. We use ssh to install locally, and I was wondering if there is a way to do that with Buddy as well.

Edit: I changed the title, and thought I should clarify. I am not using the NPM private modules service, but rather have private repos in github that I directly reference in my package.json file.


With the help of support, I was able to figure this out. I had to create a machine user on github and add it to my project. I think created a key pair for this user, and added the public key to github. I then took the private key and had to move it into the file system in an uploads folder. As part of the build process, I move that key to /root/.ssh/ and then add it to ssh-agent and add github to the list of known host. It looks like this

mkdir -p /root/.ssh
cp uploads/id_rsa /root/.ssh/id_rsa
chmod 600 /root/.ssh/id_rsa
eval "$(ssh-agent -s)"
ssh-add /root/.ssh/id_rsa
touch /root/.ssh/known_hosts
ssh-keyscan -H github.com >> /root/.ssh/known_hosts
npm install
npm test

Thanks for posting that, Jake. Like we said:

We’re currently working on delivering new function that allows for adding a key to the pipeline (next to the environment variables). The key will be automatically available in the container. This feature should be ready in about 2 weeks.

1 Like

Just an update: ssh keys are now available as environment variables! I added my private key as id_rsa and now my code looks like this:

eval "$(ssh-agent -s)"
ssh-add /root/.ssh/id_rsa
touch /root/.ssh/known_hosts
ssh-keyscan -H github.com >> /root/.ssh/known_hosts
npm install
npm test

I still have to add the rsa key to ssh-agent and github to the list of known hosts, but this is much better than it was before! Thanks!

Indeed, the keys are now available from pipelines. Here are detailed instructions in case other users may need it: https://buddy.works/knowledge/deployments/how-use-ssh-keys-in-actions

Thanks for the heads up!

Jake - thank you for the legwork here.

Kivlov - I was surprised to see that the steps in Jake’s most recent update are still required in order to pull from a private Github repo, even after I’ve added Buddy’s public key as a deploy key in that private repo. Why doesn’t Buddy automatically add its own private key to a running ssh-agent in the build context?

*edit just realized this was in the Enterprise forum but it’s also relevant for app.buddy.works

Thank you!

We can’t automatically run ssh-keyscan in every build action because of two reasons:

  1. SSH is not installed in every image
  2. it takes about 0,5 seconds for each domain

If SSH is installed in your image, all you have to do is to run the following command:
ssh-keyscan -H github.com > /root/.ssh/known_hosts

You don’t need to do anything with the ssh-agent and the touch command.
Also a tip for you: you should add the ssh-keyscan command to the ‘Customize environment’ section in the Environment tab – then it will not run in each execution.

Continuing on this topic, I’m also having problem with installing private git repositories.
From the documentation on npm, there is another method besides SSH keys: github personal token

So my package.json looks like:
“dependencies”: {
“MYPACKAGE”: “git+https://MYTOKEN:x-oauth-basic@github.com/USER/REPO”

There is no warning or error during install. But the build fails (react-scripts build)
Looking at the file system, a package is created in node_modules but only contains the package.json and README.md
Wasn’t sure if the problem was with the definition of my package so running it with both CircleCI and GitHub workflows. And both are working.

Are github personal tokens not working ? Should I use the SSH method described above?

Using GutHub personal API token should work – could you please contact support@buddy.works and send us the URL to the pipeline in which you have problems with it? We’ll check this.