在 package.json 中使用私有 git 存储库部署 Google App Engine

我的 package.json 依赖于私有 Bitbucket 存储库

{
   "my-dependency": "git+ssh://[email protected] /cdn-cgi/l/email-protection/something/my-dependency.git"
}

我按照 [1] 和 [2] 中给出的说明创建了一个使用 kms 加密的 SSH 密钥。

我创建了一个自定义cloudbuild.yaml如下：

# Decrypt the file containing the key
steps:
  - name: 'gcr.io/cloud-builders/gcloud'
    args:
      - kms
      - decrypt
      - --ciphertext-file=bitbucket_rsa.enc
      - --plaintext-file=/root/.ssh/id_rsa
      - --location=global
      - --keyring=default
      - --key=bitbucket-key
    volumes:
      - name: 'ssh'
        path: /root/.ssh

  # Set up git with key and domain
  - name: 'gcr.io/cloud-builders/git'
    entrypoint: 'bash'
    args:
      - '-c'
      - |
        chmod 600 /root/.ssh/id_rsa
        cat <<EOF >/root/.ssh/config
        Hostname bitbucket.org
        IdentityFile /root/.ssh/id_rsa
        EOF
        mv known_hosts /root/.ssh/known_hosts
    volumes:
      - name: 'ssh'
        path: /root/.ssh

  # Install
  - name: 'gcr.io/cloud-builders/yarn'
    args: ['install']
    volumes:
      - name: 'ssh'
        path: /root/.ssh

  # Build
  - name: "gcr.io/cloud-builders/yarn"
    args: ["build"]
    volumes:
      - name: 'ssh'
        path: /root/.ssh

  # Deploy
  - name: "gcr.io/cloud-builders/gcloud"
    args: ["app", "deploy", "my-service.yaml"]
    volumes:
      - name: 'ssh'
        path: /root/.ssh

当我通过运行它时gcloud builds submit --config=cloudbuild.yaml步骤 #0 到 #3 运行良好，但步骤 #4 失败，因为app deploy触发另一个yarn install它无权访问步骤 #0 和 #1 中定义的 SSH 密钥：

Step #4: INFO     rm_node_modules took 0 seconds
Step #4: INFO     starting: yarn_install
Step #4: INFO     yarn_install yarn install
Step #4: INFO     `yarn_install` stdout:
Step #4: yarn install v1.9.4
Step #4: [1/5] Validating package.json...
Step #4: [2/5] Resolving packages...
Step #4: [3/5] Fetching packages...
Step #4: info Visit https://yarnpkg.com/en/docs/cli/install for     documentation about this command.
Step #4:
Step #4: INFO     `yarn_install` had stderr output:
Step #4: error Command failed.
Step #4: Exit code: 128
Step #4: Command: git
Step #4: Arguments: ls-remote --tags --heads     ssh://[email protected] /cdn-cgi/l/email-protection/something/my-dependency.git
Step #4: Directory: /workspace
Step #4: Output:
Step #4: Host key verification failed.
Step #4: fatal: Could not read from remote repository.
Step #4:
Step #4: Please make sure you have the correct access rights
Step #4: and the repository exists.
Step #4:
Step #4: ERROR    error: `yarn_install` returned code: 1
Step #4: INFO     yarn_install took 11 seconds
Step #4: INFO     build process for FTL image took 11 seconds
Step #4: INFO     full build took 11 seconds
Step #4: ERROR    `yarn_install` had stderr output:
Step #4: error Command failed.

感谢您的帮助！

参考：

[1] https://cloud.google.com/cloud-build/docs/access-private-github-repos https://cloud.google.com/cloud-build/docs/access-private-github-repos

[2] 链接部署到 gcloud 的应用程序中的 packages.json 中的私有存储库 https://stackoverflow.com/questions/57215411/link-private-repository-in-packages-json-in-app-deployed-to-gcloud

所以显然不可能提供 SSH 密钥gcloud app deploy步。因此使用

{
   "my-dependency": "git+ssh://[email protected] /cdn-cgi/l/email-protection/something/my-dependency.git"
}

不管用！

解决方法（如链接线程中的 @JKleinne 所提到的）是克隆存储库并从本地文件夹安装它：

{
  "my-dependency": "lib/my-dependency"
}

我编写了一个小的 bash 脚本，用于检查是否可以访问存储库并克隆/拉取是否可以：

GIT_PROJECT=$1
GIT_REPO=$2
NAME=${GIT_REPO}
REMOTE="[email protected] /cdn-cgi/l/email-protection:${GIT_PROJECT}/${GIT_REPO}.git"

if [[ ! -d ./lib ]]
then
    mkdir -p ./lib
fi

## Test if git repo is accessible
if ! git ls-remote --exit-code -h ${REMOTE}; then
    echo "Unable to access git repo, skipping"
    exit 0
fi

## Clone or pull
if [[ ! -d ./lib/${NAME} ]]
then
    git clone ${REMOTE} ./lib/${NAME}
else
    git -C ./lib/${NAME} pull
fi

然后我在预安装脚本中使用它：

"preinstall": "./get-internal-package.sh something my-dependency",