Private repos using github oauth tokens

[vektah]

In dev ssh keys are usually used to allow access to private repos, but in CI it can be a pain to manage ssh keys for github machine users with limited access.

I propose adding support for github oauth (https+basic auth). These oauth key works as the password, and can be managed at https://github.com/settings/tokens.

As a bonus, if an oauth key ever gets committed to a public repo github will revoke it automatically.

eg:

glide get https://<username>:<token>@github.com/myorg/privaterepo

would fetch the git repo by doing:

git clone https://<username>:<token>@github.com/myorg/privaterepo

and the glide.yaml would look like:

import:
  - name: https://<username>:<token>@github.com/myorg/privaterepo

[mattfarina]

@vektah Handling this well in a CI system is important to me.

First, imports can have alternative VCS information. For example,

import:
- package: github.com/myorg/privaterepo
  repo:  https://<username>:<token>@github.com/myorg/privaterepo

This should work today. For the package at that location locally the repo used will be the one here.

But, a glide.yaml file checked into a project really shouldn't have credentials in it. This is just not a good idea for securely storing those credentials.

Instead, we need a way to supply overriding aliases that the CI system can supply with credentials. The CI system can securely store them. See #39, #372, and #380 to see where this is going. I'd like to have the alias system in place soon.

What do you think?

[vektah]

Ah thanks, that's perfect for now.

Big ol' 👍 to the .gliderc idea, its in line with how other dependency managers work. Its great to see that there is some thought going into this.

I'll close this as there seem to be other tickets covering the ongoing work.

[thanasisk]

Are there any updates on this topic as I really need oath token support for github (as generated by Personal Access Tokens")