From e7366170db9d940ae17634098a12147a6ca529c8 Mon Sep 17 00:00:00 2001
From: Hpar <raph@hpar.fr>
Date: Tue, 11 Mar 2025 08:46:43 +0000
Subject: [PATCH 1/2] use git+ssh for use with private repo

---
 .gitignore |  1 +
 Dockerfile | 15 +++++++++++++++
 README.rst |  9 +++++++++
 3 files changed, 25 insertions(+)

diff --git a/.gitignore b/.gitignore
index 646d70e1..3f168181 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 /tmp/
 /environment*
 /.vscode
+/ssh
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
diff --git a/Dockerfile b/Dockerfile
index 870e2818..bfe2691c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,6 +6,9 @@ ENV LANG=C.UTF-8 \
     DEBIAN_FRONTEND=noninteractive
 
 ARG PY=3.12
+# UID / GID needed for git by ssh
+ARG UID
+ARG GID
 
 # binutils is needed for the ar command, used by pypandoc.ensure_pandoc_installed()
 RUN set -x \
@@ -55,5 +58,17 @@ RUN pip install --no-cache-dir -e /app/src/oca-github-bot
 
 # make work and home directory
 RUN mkdir /app/run && chmod ogu+rwx /app/run
+RUN groupadd -g $GID -o app
+RUN useradd -m -u $UID -g $GID -o -s /bin/bash app
+
 ENV HOME=/app/run
 WORKDIR /app/run
+
+# git: change all url to ssh instead of HTTP
+# in order to avoid GITHUB_TOKEN leaks in error messages
+RUN git config --global url.ssh://git@github.com/.insteadOf https://github.com/
+COPY ./ssh /home/app/.ssh/
+RUN chown app /home/app/.ssh
+RUN chown app /home/app/.ssh/*
+
+USER app
\ No newline at end of file
diff --git a/README.rst b/README.rst
index aa670344..f5af10cf 100644
--- a/README.rst
+++ b/README.rst
@@ -158,6 +158,14 @@ The bot URL must be exposed on the internet through a reverse
 proxy and configured as a GitHub webhook, using the secret configured
 in ``GITHUB_SECRET``.
 
+Private repo support
+===========
+
+If the bot needs to access private github repository, you should generate
+a new key, and give access to this key on github.
+If running from docker, it should be placed on a `ssh` directory on the root of this
+repo.
+
 Development
 ===========
 
@@ -233,6 +241,7 @@ Contributors
 * Sylvain Le Gal (https://twitter.com/legalsylvain)
 * Tecnativa - Pedro M. Baeza
 * Tecnativa - Víctor Martínez
+* Raphaël Reverdy <raphael.reverdy@akretion.com>
 
 Maintainers
 ===========

From f974d7d428620ddfe5eaabd2417d865feadbe1fa Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Tue, 11 Mar 2025 08:58:50 +0000
Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index bfe2691c..680237fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -71,4 +71,4 @@ COPY ./ssh /home/app/.ssh/
 RUN chown app /home/app/.ssh
 RUN chown app /home/app/.ssh/*
 
-USER app
\ No newline at end of file
+USER app