How to deal with npm dependencies from private repos?

Hello,

I have a project where an npm dependency is fetched from a private repo:

    "@raccode/svelte-toolkit": "git+ssh://git@github.com:raccodee/svelte-toolkit.git"

As you notice, it needs ssh to work, I tried also to use a personal access token link but I cannot expose it because the project which I’m working in is public and env variables seems not to work in dependencies. I would like to be able to get that dependency during the build phase.

May I have some guidance on how to achieve this?

This is my failed build log:

2:49:25 AM: Build ready to start
2:49:27 AM: build-image version: d2c6dbeac570350a387d832f64bc980dc964ad65 (focal)
2:49:27 AM: build-image tag: v4.8.0
2:49:27 AM: buildbot version: e552b142336b2b1222a93a4fd4cbed0019c77b46
2:49:27 AM: Fetching cached dependencies
2:49:27 AM: Starting to download cache of 113.1MB
2:49:29 AM: Finished downloading cache in 1.830169287s
2:49:29 AM: Starting to extract cache
2:49:33 AM: Finished extracting cache in 4.11939021s
2:49:33 AM: Finished fetching cache in 5.971109578s
2:49:33 AM: Starting to prepare the repo for build
2:49:33 AM: Preparing Git Reference pull/4/head
2:49:34 AM: Parsing package.json dependencies
2:49:35 AM: Starting build script
2:49:36 AM: Installing dependencies
2:49:36 AM: Python version set to 2.7
2:49:36 AM: Started restoring cached node version
2:49:37 AM: Finished restoring cached node version
2:49:38 AM: v16.14.2 is already installed.
2:49:39 AM: Now using node v16.14.2 (npm v8.5.0)
2:49:39 AM: Started restoring cached build plugins
2:49:39 AM: Finished restoring cached build plugins
2:49:39 AM: Attempting ruby version 2.7.2, read from environment
2:49:40 AM: Using ruby version 2.7.2
2:49:41 AM: Using PHP version 8.0
2:49:41 AM: No npm workspaces detected
2:49:41 AM: Started restoring cached node modules
2:49:41 AM: Finished restoring cached node modules
2:49:42 AM: Installing NPM modules using NPM version 8.5.0
2:49:43 AM: npm WARN old lockfile
2:49:43 AM: npm WARN old lockfile The package-lock.json file was created with an old version of npm,
2:49:43 AM: npm WARN old lockfile so supplemental metadata must be fetched from the registry.
2:49:43 AM: npm WARN old lockfile
2:49:43 AM: npm WARN old lockfile This is a one-time fix-up, please be patient...
2:49:43 AM: npm WARN old lockfile
2:49:51 AM: npm ERR! code 128
2:49:51 AM: npm ERR! An unknown git error occurred
2:49:51 AM: npm ERR! command git --no-replace-objects ls-remote ssh://git@github.com/raccodee/svelte-toolkit.git
2:49:51 AM: npm ERR! Warning: Permanently added 'github.com,140.82.112.4' (ECDSA) to the list of known hosts.
2:49:51 AM: Creating deploy upload records
2:49:51 AM: npm ERR! git@github.com: Permission denied (publickey).
2:49:51 AM: npm ERR! fatal: Could not read from remote repository.
2:49:51 AM: npm ERR!
2:49:51 AM: npm ERR! Please make sure you have the correct access rights
2:49:51 AM: npm ERR! and the repository exists.
2:49:51 AM: npm ERR! A complete log of this run can be found in:
2:49:51 AM: npm ERR!     /opt/buildhome/.npm/_logs/2022-04-16T00_49_42_781Z-debug-0.log
2:49:51 AM: Failed during stage 'building site': Build script returned non-zero exit code: 1 (https://ntl.fyi/exit-code-1)
2:49:51 AM: Error during NPM install
2:49:51 AM: Build was terminated: Build script returned non-zero exit code: 1
2:49:51 AM: Failing build: Failed to build site
2:49:51 AM: Finished processing build request in 24.356487606s

Thanks.

Hey @raccode

Have you read through this support guide?

Problem was solved finally , not in a very clean way but solved

What was your solution? I’m running into this same problem. It’s a private github repo, not a private npm package as @coelmay described.

Hey @Ryan_Olson,

Could you try if this works:

You’d have to create an access token for your repo, but that should be the easy part. Let us know if the above works.

Hey, I have the exact same issue, here is the deploy link.

You’re not deploying properly from your Repo. Are you trying to use continuous deployment? If so can you try to link and relink your repo then trigger a deploy?

Hey @SamO, thanks for the response. I am deploying from this repo which is public. The things is I am trying to install a private repo as a npm package. I first tried to use ssh without any success, now I am trying with a GitHub PAT following this guide but it still fails - see here.

EDIT : I just tried using Deploy key from netlify and adding it to my private repo, I still have an access error.

Could you link us to the deploy logs for the build where you’ve added your DeployKey? (Note: I had suggested that that’s what you would likely need if and only if you have the dependency specified in your package.json/yarn.lock and we are attempting to auto-install it in the first section of our build logs (“Installing Dependencies”) - but that was wrong!)

Upon reconsidering, you’d probably need to make the other repo a submodule of the main repo, and then we’d use the deploy key. We drop all permissions (including ability to use the deploykey you saved in our system) as soon as we finish cloning, which includes submodules.

Otherwise you will have to clone it as described here: [Support Guide] How do I access private repositories in the build environment?

Hey @fool, many thanks for your help. I finally succeeded to find a workaround by using a shell script (npm install --no-save git+https://${GIT_TOKEN}:x-oauth-basic@github.com/user/repo.git) as a preinstall command in my package.json. The --no-save option allows me to skip writing my GIT_TOKEN as raw value in my package.json as the code remains in a public repo.

thanks for writing back in and sharing this.