Modify requiremet.txt file to install from private repos on heroku

Question

I have an app deployed in Heroku , now I got a lot of private repos need to be included in requirements.txt file , I set my GitHub access token and need to put it in Heroku environment variables to be included in requirements.txt file , I already tried a lot to pass it but its not read by the file unless I hard code it inside it , what should be done to make this step as secure as possible?

Answer 1

Choose a private repository

For an organization and private libraries, you have only one option, no matter the language:

An artifact repository.

• You need to deploy it and configure it
• Push your private libraries.
• Create a user/password and configure them in the machine where yo build your apps. Also you could create another user for your developers. There are roles like write, read only, etc

I advice you:

• How to upload the python packages to Nexus sonartype private repo
• https://www.zepl.com/use-your-private-python-libraries-from-artifactory-in-zepl/

Download the private packages

No matter the cloud (aws, gcp, heroku, etc), you only need to configure the credentials and url of your private repository using the shell or a config file.

Here an example:

.pypirc:

[distutils]
index-servers =
pypi
[pypi]
repository: https://nexus.your.domain/repository/pypi-hosted/
username: nexususername
password: nexuspassword 

If you are worried about the credentials, you could do a simple automation to read them from env variable or perform a replacement

password: ${PRIVATE_REPOSITORY_PASSWORD} 

password: <PRIVATE_REPOSITORY_PASSWORD> 

This generic approach (any private repository & any cloud) should work with github:

• https://truveris.github.io/articles/configuring-pypirc/
• https://gist.github.com/NearHuscarl/90aa951dc970e8a6bd0ceba3d6846c14