I tried to build a nodejs application with ssh external dependancies with and without package-lock.json in a Dockerfile.
It seems that --mount=type=ssh doesn't works recursively when cloning external ssh dependancies with npm
package-lock.json contains :
"version": "git+ssh://[email protected]:common/dependance.git#4db813c75b98977b10886ceeb761f5f0fcf92f40", "from": "git+ssh://[email protected]:common/dependance.git#v4.0.0-pre.7",
It seems that if I remove the package-lock.json it will work but it doesn't work if it is present, I don't know why.
I don't understand why the secret or mount option is not recursively used within the npm "subprocess" retrieve command.
Though Fixing the versions with the package-lock.json should be built-in.
This is a snake that bites its own tail case.
Docker version 24.0.2, build cb74dfcd85
In the Dockerfile :
RUN --mount=type=ssh /usr/local/bin/npm install --loglevel silly
Run with option :
--ssh default=$HOME/.ssh/id_ed25519
In the package.json :
"dependance": "git+ssh://[email protected]:common/dependance.git#v4.0.0-pre.7"
In the package-lock.json :
"version": "git+ssh://[email protected]:common/dependance.git#4db813c75b98977b10886ceeb761f5f0fcf92f40", "from": "git+ssh://[email protected]:common/dependance.git#v4.0.0-pre.7",
--mount=type=ssh doesn't clone the dependance because it can't see the private key authorization
I figured out that the url syntax is wrong:
Wrong:
Correct: