Hello,
I have spent some time trying to build an NPM package with Yarn and a private Git-based dependency, using Nix.
The derivation I started from looks roughly like this:
stdenv.mkDerivation (finalAttrs: {
name = "...";
src = ./.;
yarnOfflineCache = fetchYarnDeps {
yarnLock = finalAttrs.src + "/yarn.lock";
hash = "";
};
# …etc.
})
My package.json includes a dependency fetched from an internal and private Git repository:
"dependencies": {
"foo-bar": "git+https://internal-company-host/foo/bar.git"
}
This repository is only accessible over HTTPS, so I rely on a line in my ~/.gitconfig to inject the credentials:
[url "https://<user>:<pass>@internal-company-host"]
insteadOf = https://internal-company-host
The problem is that I never managed to build this package with Nix alone, because the build sandbox obviously doesn’t have access to these credentials, and I could not find a clean way to pass them through.
In the end, I resorted to a plain Containerfile and podman, where I can inject the credentials as a build secret:
FROM <redacted>
WORKDIR /app
COPY ./package.json ./package.json
COPY ./yarn.lock ./yarn.lock
RUN --mount=type=secret,id=CREDS \
sh -c '\
creds="$(cat /run/secrets/CREDS)" && \
git config --global url."https://$creds@internal-company-host/".insteadOf "https://internal-company-host" \
'
RUN yarn install --frozen-lockfile --network-concurrency 1
COPY ./ ./
RUN yarn build
Then I build it like this:
CREDS="user:token" podman build \
--secret id=CREDS,env=CREDS \
-t custom-image \
-f Containerfile .
This works perfectly with Podman, but ideally I would like to achieve the same thing with Nix and dockerTools.buildImage, as I do for all my other projects that don’t involve private repositories.
Has anyone successfully handled Git-based private Yarn/NPM dependencies in a Nix build ?
Any pointers or examples would be very welcome.
Thanks in advance !