I would like to keep some code development outside of anvil and have this in a private github repo. I can install add this in the requirements.txt file using,
git+https://<user_name>:<personal_access_token>@github.com/<account>/<repo>.git
However, placing the personal access token out in the open like that makes me itchy. It would be great if we could use app secrets as environment variables like so,
git+https://<user_name>:{secret_access_token}@github.com/<account>/<repo>.git
Or is there another option that I’m missing here?
1 Like
Hi @racersmith,
Yes, having a fully-permissioned Personal Access Token floating about is a bit alarming! However, it’s a lot less alarming to use a fine-grained Personal Access Token, which you can configure to allow read-only access to only one repository, and nothing else. That’s the way forward I’d suggest.
(This is all assuming you’re using our standard cloud environment at https://anvil.works. There are of course fancier things you can do to access private repositories if you’re using an on-site Enterprise installation in your company – Enterprise customers can shoot an email to support to get that set up.)
1 Like
Thanks for the response! Would the only threat, on the Anvil side, be through the Anvil editor either through a compromised account or over-the-shoulder viewing? Just want to make sure I’m not missing some other threat vector.
Yes, that’s about right I think!
1 Like
Sharing a clone link might also populate the requirements.txt with the token, it should be obvious that this would happen, but not everyone might think about it before sharing the link.
Good thinking! I went ahead and deleted the clone key. Thanks @ianbuywise!
1 Like
Well, for the exceptionally paranoid, I think I may have a more secure solution at the cost of hassle. You can use the personal access token from github for the requirements.txt file, allow Anvil to complete the build, then go and refresh (or delete) the personal access token on github to invalidate it. Anytime you change the requirements.txt file I’m sure you will need to have a valid personal access token or the build will fail.
I’m not sure if there are other times with the build process in Anvil will trigger outside of dependency changes which would make this, probably stupid idea, a terrible idea.
I guess with great paranoia, comes great hassle.
Yes, unfortunately Anvil’s build cache is just that – a cache! We therefore can’t guarantee that we won’t rebuild the image for a given requirements.txt (for example, if we need to make a security update to the underlying OS).
2 Likes
And again there are only two hard things in Computer Science: cache invalidation and naming things.
Haha. Thanks for insight! I’m going to push this out the back of my head and get back to work.