feat: "Use private Git module in Heroku app" feature, using CLI scripts

README.md

@@ -2,7 +2,9 @@
 
 Core functionality for imin apps.
 
-## Logger
+Each of the below sub-headings describes a feature. You don't have to use all the features, you can just pick and choose. They are independent of each other.
+
+## Feature: Logger
 
 app-utils defines a (winston) logger when it is used. This logger can be used in your app with:
 
@@ -32,7 +34,7 @@ The logger will make sure to structure the Error object correctly, so that it's
 
 If the error is an **Axios error**, we have more special handling still! Axios errors are famously large and contain lots and lots of generally irrelevant information. So if you include an axios error in the `error` field, logger will only include key details about the HTTP request and response.
 
-## PostgreSQL
+## Feature: PostgreSQL
 
 You can use `@imin/app-utils` to connect with a PostgreSQL database. In order to do this, it is advised to set up environment variables for PostgreSQL connection details (detailed below), though in some cases, connection details can be provided programmatically.
 
@@ -130,7 +132,7 @@ The above explains how you ensure that your app runs migrations when it starts.
 
 **NOTE: These scripts get PostgreSQL config from `.env` in your project**
 
-## Kong Secret Middleware
+## Feature: Kong Secret Middleware
 
 If using Kong as API Gateway, you'll want to ensure that any requests to your app are only ever directly coming through Kong. The current solution is an API key in header `X-Kong-Secret`. If this matches the expected value, the request is considered to have come from Kong.
 
@@ -152,3 +154,26 @@ app.use(kongSecretMiddleware());
 ```
 
 If a request does not have the correct Kong Secret, the app will respond with an HTTP 401 and body `{ "error": "Unauthorized" }`.
+
+## Feature: Use private Git module in Heroku app
+
+In short, if you want to use a private GitHub repo (e.g. https://github.com/imin-ltd/shared-data-types) as an NPM dependency, you'll need this feature.
+
+For full explanation, see: https://imin-dev.atlassian.net/wiki/spaces/PD/pages/1053065217/Heroku+Access+to+GitHub+SSH.
+
+**ENV VARS**:
+
+* `GIT_SSH_KEY` (REQUIRED except when running locally): Private SSH key for Git. For more info, see https://imin-dev.atlassian.net/wiki/spaces/PD/pages/1053065217/Heroku+Access+to+GitHub+SSH#The-App.
+
+You'll need to add, to your `package.json`:
+
+```json
+{
+  "scripts": {
+    "heroku-prebuild": "npx heroku-prebuild-set-git-ssh-key",
+    "heroku-cleanup": "npx heroku-cleanup-remove-git-ssh-key",
+    // ...
+  },
+  // ...
+}
+```

package.json

@@ -6,7 +6,9 @@
   "types": "built-types/index.d.ts",
   "bin": {
     "db-migrate-up": "./src/cli/db-migrate-up.js",
-    "db-migrate-down": "./src/cli/db-migrate-down.js"
+    "db-migrate-down": "./src/cli/db-migrate-down.js",
+    "heroku-prebuild-set-git-ssh-key": "./src/cli/herokuPrebuildSetGitSshKey.sh",
+    "heroku-cleanup-remove-git-ssh-key": "./src/cli/herokuCleanupRemoveGitSshKey.sh"
   },
   "scripts": {
     "build": "tsc",

src/cli/herokuCleanupRemoveGitSshKey.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+
+if [ "$GIT_SSH_KEY" != "" ]; then
+  echo "Cleaning up SSH config" >&1
+  echo "" >&1
+
+  # Now that npm has finished running, we shouldn't need the ssh key/config anymore.
+  # Remove the files that we created.
+  rm -f ~/.ssh/config
+  rm -f ~/.ssh/deploy_key
+
+  # Clear that sensitive key data from the environment
+  export GIT_SSH_KEY=0
+fi 

src/cli/herokuPrebuildSetGitSshKey.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copied from this amazing answer: https://stackoverflow.com/a/29677091
+# Because we use private GitHub repositories as NPM dependencies, we need to
+# set-up whatever Heroku machine runs this app to add the GitHub SSH key
+# to authorize itself to read from the GitHub repo.
+
+# Generates an SSH config file for connections if a config var exists.
+
+set -o nounset
+set -o errexit
+
+if [ "$GIT_SSH_KEY" != "" ]; then
+  echo "Detected SSH key for git. Adding SSH config" >&1
+  echo "" >&1
+
+  # Ensure we have an ssh folder
+  if [ ! -d ~/.ssh ]; then
+    mkdir -p ~/.ssh
+    chmod 700 ~/.ssh
+  fi
+
+  # Load the private key into a file.
+  echo $GIT_SSH_KEY | base64 --decode > ~/.ssh/deploy_key
+
+  # Change the permissions on the file to
+  # be read-only for this user.
+  chmod 400 ~/.ssh/deploy_key
+
+  # Setup the ssh config file.
+  echo -e "Host github.com\n"\
+          " IdentityFile ~/.ssh/deploy_key\n"\
+          " IdentitiesOnly yes\n"\
+          " UserKnownHostsFile=/dev/null\n"\
+          " StrictHostKeyChecking no"\
+          > ~/.ssh/config
+fi