Heroku Private Modules
Use private GitHub repos as npm dependencies on Heroku.
Heroku doesn't has access to your private git repositories so every deploy of an app with private git dependencies fails.
This changes your package.json
private GitHub dependencies (before Heroku installs your dependencies) with a url of the dependency with a GitHub access token.
Installation
npm i --save heroku-private-modules
Usage
- Create a Github OAuth token with "repo" scope.
- Set on Heroku the config var
GITHUB_TOKEN
with the token of the previous step. - On your app add the npm script heroku-prebuild with
npm i heroku-private-modules && heroku-private-modules
.
"heroku-prebuild": "npm i heroku-private-modules && heroku-private-modules"
Background
I choose this solution to have the secrets out of the source control, keep the projects with the minimum configuration required and also because it seems to me the less risky solution.
Recommendation: create a GitHub user and only give him permissions to the required private repos, and use the token from this account. So if the token gets compromised the attacker will only access to only a part of the privates repos of your org/personal user.
Other solutions with different tradeoffs:
- Put your SSH key as Heroku config var and setup the SSH key on every deploy with a couple of npm scripts.
- Embed the username and password of your GitHub account into the dependency URL.
- Embed the Github OAuth token into the dependency URL.
- Use a custom node Heroku buildpack.
License
Heroku Private Modules is MIT licensed.