Private repositories #
Pipelines as Code support private repositories by creating or updating a secret in the target namespace with the user token for the git-clone task to use and be able to clone private repositories.
Whenever Pipelines as Code create a new PipelineRun in the target namespace it will create or update a secret called:
pac-gitauth-REPOSITORY_OWNER-REPOSITORY_NAME-RANDOM_STRING
The secret contains a .gitconfig
and Git credentials .git-credentials
with
the https URL using the token it discovered from the GitHub application or
attached to the secret.
As documented :
https://github.com/tektoncd/catalog/blob/main/task/git-clone/0.4/README.md
The secret needs to be referenced inside your PipelineRun and Pipeline as a
workspace called basic-auth to be passed to the git-clone
task.
For example in your PipelineRun you will add the workspace referencing the Secret :
workspace:
- name: basic-auth
secret:
secretName: "{{ git_auth_secret }}"
And inside your pipeline, you are referencing them for the git-clone
to reuse:
[…]
workspaces:
- name basic-auth
params:
- name: repo_url
- name: revision
[…]
tasks:
workspaces:
- name: basic-auth
workspace: basic-auth
[…]
tasks:
- name: git-clone-from-catalog
taskRef:
name: git-clone
params:
- name: url
value: $(params.repo_url)
- name: revision
value: $(params.revision)
The git-clone
task will pick up the basic-auth (optional) workspace and
automatically use it to be able to clone the private repository.
You can see as well a full example here
This behavior can be disabled by configuration, setting the secret-auto-create
to false or true
inside the Pipelines-as-Code Configmap.
Fetching remote tasks from private repositories #
See the resolver documentation for more details.