Sometimes when building a site, you might be required to fetch dependencies from a private store or repository. This often happens if you're using a particular third party plugin that is licenced and access to the code is behind an authenticated endpoint, or if a larger development team simply has code reused across multiple sites that they want to keep private.
There are a couple of commonly used methods for retrieving private dependencies which we'll discuss further in this post.
Authentication via Git
Very often when running a task such as composer install, the actual process in the background will use Git, and retrieve a number of third party dependencies straight from their source repositories.
As a result of this, it's easy to leverage the use of a private repository if you don't want to allow direct access to developers outside your organisation.
Generally, it's easiest to use an SSH key that is added to your repository host to allow access to any repositories that are required for your build. Some repository hosts, for security reasons, only allow an SSH key to be added to a single place. This means you can't add the key to, for example, the deployment keys area in each repository that the build needs to pull from.
Taking GitHub as an example, you can instead create a "Machine User" - which is in effect, a restricted user that no human would ever log in via - and give that restricted access to only the necessary repositories. Then, you can simply add the SSH key to that user's profile.
When using the DeployHQ build pipeline, you can copy the SSH key directly from your project to be used across any repositories as needed. You can find out more about this process within our documentation.
This method is particularly useful when you're building using your own repositories, but for actual third party dependencies, this is normally done differently.
Authentication via access Key
If you're required to access a third party for your build, for example a Wordpress plugin, this will generally be achieved by the use of an access key. This works well in scenarios where you might need to purchase a licence from the third party vendor to be able to access that plugin.
Depending on the tools used for your build, you'll likely need to have a file present that references the third party and contains the appropriate key. Using Composer as an example, you can use an auth.json file, to contain any keys you need if you're connecting to multiple vendors.
This is leveraged in the build process and can be referenced via your composer.json file. Most vendors should provide instructions on how to reference the dependency and key.
If you're doing this via DeployHQ, we would recommend looking at using our Config Files feature, which allows you to keep keys and secrets away from your repository, and you can restrict access to the files to only trusted users. All config files are encrypted before being stored on our servers.
Further information
If you're looking for more information specific to certain build tools, we'd recommend the following guidance for the most commonly used tools in the build pipeline:
- Composer - https://getcomposer.org/doc/05-repositories.md
- NPM - https://docs.npmjs.com/creating-and-publishing-private-packages
- Ruby - https://guides.rubygems.org/publishing
And as always, if you have any questions about these processes, please don't hesitate to get in touch.
