Provide info how to access private git dependencies via JWT access token (GitHub App)

[Gustl22]

Page URL

https://dart.dev/tools/pub/dependencies#git-packages

Page source

https://github.com/dart-lang/site-www/tree/main/src/content/tools/pub/dependencies.md

Describe the problem

For private git dependencies, it is recommended to use SSH. But GitHub themselves disengage SSH and also this is only feasable locally. On CIs for every private repo, a new SSH key has to be generated, which then can be entered in the repos as Deployment Key to allow fetching the dependency (one key CANNOT be used for multiple repos, unfortunately).

So we should give the hint to authenticate via access tokens, e.g. one generated with "GitHub App"s.

Here a common workflow:

    steps:
      - uses: actions/checkout@v4
      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.SSH_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
      - name: Set github url and credentials
        run: |
          git config --global --add url."https://x-access-token:${{ steps.app-token.outputs.token }}@github".insteadOf https://github
          git config --global --add url."https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/".insteadOf ssh://git@github.com:
          git config --global --add url."https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/".insteadOf git@github.com:

Would that be a valid approach to link in the docs?

Expected fix

Provide a link or add an example how to fetch private repository dependencies from git via access tokens.

Additional context

No response

I would like to fix this problem.

• I will try and fix this problem on dart.dev.

[johnpryan]

Can you explain what you are trying to do? I don't see the connection between create-github-app-token and fetching git dependencies.

You're right, you can't run pub get if your pubspec uses an SSH dependency, and there aren't any SSH keys configured.
We could add a warning that SSH keys are required to use SSH, but that seems redundant to me.

[Gustl22]

The problem is NOT SSH. But the problem is accessing private repos via HTTPS e.g. via a x-access-token. Currently only a ssh connection is written as solution in https://dart.dev/tools/pub/dependencies#git-packages (search for private) to access private repos. GitHub App was just an example, which forces to use access tokens, instead of ssh, because they disengage it (for a good reason in my opinion).

So we should propose a way to how to access private repos via access tokens (https), instead of ssh.

So my use case is to build an app which has private dependencies from my repo, such as:

dependencies:
  // ...
  my_private_package
    git:
      url: "https://github.com/owner/my_private_package.git"

But one cannot access it without credentials, like:
https://x-access-token:TOKEN@github.com/owner/my_private_package.git
see. e.g. https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation#about-authentication-as-a-github-app-installation

Obiously, I cannot save the credentials inside the pubspec.yaml (they are also changing on every build, in contrast to a PAT).

[Gustl22]

I was a bit lost, I found a more straight forward was to do it, as I think its already the case under the hood when requested for username and password locally. Anyways it should be stated as an alternative to SSH:

git config --global credential.helper store
echo "https://x-access-token:${{ steps.app-token.outputs.token }}@github.com" > ~/.git-credentials
# Only needed if one wants to rewrite all ssh requests to GitHub to be used with http(s) credentials:
#git config --global url.https://github.com/.insteadOf ssh://git@github.com:
#git config --global url.https://github.com/.insteadOf git@github.com:

[johnpryan]

This probably doesn't belong in the Dart documentation, since this is more related to Git and GitHub configuration.

How about we add a note saying that in order to use HTTPS, you need to configure your git environment, and link out to the steps that you need to take for HTTPS for private repos from the GitHub documentation?

[Gustl22]

Yes, a link would be nice. Just so that one knows that there's an alternative.