Pass secrets to Docker build to fetch private Github repositories

Image by

To fetch private repositories as dependencies in a Docker image build procedure, you must set the Github credentials.

The popular errors while an invalid credential is set:

fatal: could not read Username for ‘': No such device or address

Git URL config

There are lots of posts on the internet to do this by setting your Github personal token in the git URL config, all of them are insecure because actually, they’re suggesting to pass your Github personal token to the Dockerfile as an argument and set it as the username of the Github repositories. remind that every command in Dockerfile, is printed on the build log and is accessible from the build history, so your private token is printed on the logs and ….

The SSH key method

You can also use an SSH key to download private repositories in the Docker build procedure. for this you need to generate a new SSH key and assign it to your Github account, then store the private key into the repository secrets and write it into a file in the Github action job step, then copy the file from the context directory to the .ssh directory of build container. By using this method, you are not in control of the SSH key scopes, the SSH key is your identity and has access to your whole account.

Using .netrc file

The .netrc file contains login and initialization information used by the auto-login process.

To use .netrc file, you must generate a new personal access token with private repositories related scopes, for example, if your private repositories exist under your account, therepo scope is enough, but if they exist under your organization or team account, theadmin:org scope is required.

Then store the generated personal access token in the repository secrets. Here I saved it with `API_TOKEN_GITHUB` name.

Create a Github action file:

In this action, first, we store our secrets into the .netrc file, then pass the file as a secret to the Docker build command.

Github action job hides the secrets in the logs, so it’s safe to use secrets in the run command.

After that, you must mount the secret file to root/.netrc in Dockerfile, (in this example we’re running Golang module download command after mounting the secret)

Notice: You must run the go mod download or npm install commands right after mounting the secret file, actually in the same Docker Run command.

Using docker/build-push-action@v2

If you are using a Github action to build or push your image, you should pass the .netrc file like this:


  • Don’t pass your secret to Docker build command as an argument, your secrets are printed in the build logs and history.
  • Using SSH key limits your control of the scopes.
  • You can store secrets in the .netrc file via the Github action and then pass it as a secret file to the Docker build command. (follow .netrc section)




Currently a software engineer, always an adventurer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CS373 Fall 2020: Stephen Zheng

Software architecture with the “IDesign method”

Creating Security Cameras in Unity Part 1

Hop Onboard the iOS Release-🚂!

All about Redshift

Spring — Autowiring using @Inject annotation | Code Factory

Using Redpanda to stream Docker stats in Deephaven

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sajjad Rad

Sajjad Rad

Currently a software engineer, always an adventurer

More from Medium

Verify Google Login Credentials with GOLang

GoFrame 101: Log management

Create a Distributed Database with High Availability with Apache ShardingSphere

Level-based logging in Go with Uber Zap