Private repositories #
Pipelines as Code enables the use of private repositories by creating or
updating a secret in the target namespace that contains the user token for the
git-clone
task to clone private repositories.
This is done whenever Pipelines as Code creates a new PipelineRun in the target namespace, which will result in the creation with a secret named like this:
pac-gitauth-REPOSITORY_OWNER-REPOSITORY_NAME-RANDOM_STRING
This secret contains a Git Config file: .gitconfig and a Git credentials file: .git-credentials, which includes the https URL using the token obtained from the GitHub application or secret attached to the repo CR.
The secret includes a key referencing the token as a key to let you easily use it in your task for other provider operations. See the documentation with example on how to use it here
The secret has a
ownerRef
field to the created PipelineRun. This means the secret will be auto deleted
when you delete the PipelineRun
it references to.
To disable this behavior, you can configure the secret-auto-create
setting in
the Pipelines-as-Code Configmap. You can set it to either false or true
depending on your requirements.
Using the generated token in your PipelineRun #
The git-clone task documentation, which is available at
https://github.com/tektoncd/catalog/blob/main/task/git-clone/0.4/README.md,
states that the secret needs to be referred to as a workspace named
“basic-auth” inside your PipelineRun so that it can be passed to
the git-clone
task.
To achieve this, you can add the workspace referencing the secret in your PipelineRun. For instance, you can include the following code in your PipelineRun to reference the Secret:
workspace:
- name: basic-auth
secret:
secretName: "{{ git_auth_secret }}"
Once you have added the workspace referencing the secret in your PipelineRun as described earlier, you can then pass the git-clone task to reuse it inside your Pipeline or embedded PipelineRun. This is typically achieved by including the git-clone task as a step in your Pipeline or embedded PipelineRun, and specifying the workspace name as “basic-auth” in the task definition. Here’s an example of how you could pass the git-clone task to reuse the secret in your Pipeline:
[…]
workspaces:
- name basic-auth
params:
- name: repo_url
- name: revision
[…]
tasks:
workspaces:
- name: basic-auth
workspace: basic-auth
[…]
tasks:
- name: git-clone-from-catalog
taskRef:
name: git-clone
params:
- name: url
value: $(params.repo_url)
- name: revision
value: $(params.revision)
- A full example is available here
Fetching remote tasks from private repositories #
See the resolver documentation for more details.