App structure (Python FastAPI):
-my_app
-server.py
-Procfile
-requirements.txt
In order to install a private git repo required by my Heroku app, I added the following line to my requirements.txt:
git+https://<github-token>@github.com/me/my-private-repo.git
However on pushing, Github emailed me to say that since I had exposed my token in a commit it had revoked the token. (My app repo is private.) Totally fair! However, my Heroku build now fails, since it prompts for a password when attempting to install the private repo.
I've searched SO/the internet many times re: private repos, but have always come across conflicting suggestions.
Would be grateful to hear what is best practice in this case, for safely installing a private repo in an automated build.
What I've tried so far:
git+git://username:password@github.com/me/myrepo.git instead of token obviously has the same issuegit+ssh://git@github.com/me/myrepo.git - yields error Host key verification failed.pipTo expand on the ssh option, the following work on my local machine:
pip3 install git+ssh://git@github.com/me/my_private-repo.gitgit clone https://github.com/me/my_private-repo.gitHowever when my requirements.txt contains git+ssh://git@github.com/me/my_private-repo.git, my Heroku build returns Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
Finally got it to work. I'm indebted to Michel Blancard's answer and associated gist, and Bo Jeanes' custom buidpack:
In requirements.txt:
git+ssh://git@github.com/me/my-private-repo.git
Convert my private SSH key to the (old) PEM format for Heroku(!):
ssh-keygen -f ~/.ssh/id_rsa -m PEM -p
(Credit due to this answer)
Add private SSH key as Heroku variable:
heroku config:set BUILDPACK_SSH_KEY="$(cat ~/.ssh/id_rsa)"
Add this custom buildpack to run before the Python buildpack which enables a private SSH key:
heroku buildpacks:add --index 1 https://github.com/heroku/heroku-buildpack-ssh-key.git
Deploy!