The problem
I am attempting to build a Docker image using a Dockerfile which uses pip to install a Python package hosted at a GitHub URL. This URL represents an internal repository, owned by an enterprise account. Being an internal repo for an enterprise GitHub account, I am having to inject a secret GitHub personal access token into the Dockerfile in order to have access to the repository.
Within the Dockerfile, I inject that token immediately before pip install, like so:
RUN --mount=type=secret,id=github_token,uid=1000 git config --global url."https://$(cat /run/secrets/github_token):@github.com/".insteadOf "https://github.com/"
RUN pip install -r requirements.txt
I inject my token when building the Dockerfile in the following code snippet:
docker build --no-cache --secret id=github_token,src=/tmp/github_token.txt .
I have verified that my token text is in fact present in the above referenced /tmp/github_token.txt file.
All the requirements in requirements.txt seem to be installing fine until my private/internal package install is attempted, at which point the Docker build fails with the following pip error:
ERROR: Could not find a version that satisfies the requirement <package name> (unavailable) (from versions: none)
ERROR: No matching distribution found for <package name> (unavailable)
I am definitely injecting the token, and the internal repo definitely exists, so what could the issue be?
I was able to solve this myself:
The error No matching distribution found for <package name> (unavailable) isn't telling us much. So, I tried a different method of accessing the private/internal enterprise repo within the Dockerfile to see if I could get a different error message.
I modified the Dockerfile to simply clone the repository, replacing RUN pip install -r requirements.txt with RUN git clone https://github.com/<company name>/<package name>.
The docker build failed on the git clone, which was expected. However, the immediate error was different, as shown below:
Cloning into '<package name>'...
remote: The '<company name>' organization has enabled or enforced SAML SSO.
remote: To access this repository, visit https://github.com/orgs/<company name>/sso?authorization_request=xxx and try your request again.
fatal: unable to access 'https://<my secret token>:@github.com/<company name>/<package name>/': The requested URL returned error: 403
Eureka! Not only did I receive a more informative error (403), this GitHub specific message gave me a hyperlink that I could paste into my browser which ultimately authenticated my personal access token with SSO.
After visiting the URL and clicking the SSO button, I was able to revert my Dockerfile to its previous state and successfully install my private/internal package.
The account associated with the personal access token being used needed to be authenticated with the organization's GitHub account via SSO. I was able to do this using a link given to me in a git error, although I believe this is also possible to accomplish by navigating to the organization's GitHub account via the web browser while logged into GitHub.