Rails - Bundle a private gem

I wrote a port about how to use a private repo as a dependency with yarn or npm here. But how we do the same using bundler?

In Gemfile, there are many ways to install a gem.

# git
gem 'rails', git: 'git://github.com/rails/rails.git'

# ssh
gem 'rails', git: '[email protected]:rails/rails.git'

# https
gem 'rails', git: 'https://github.com/rails/rails.git'

# github keyword
gem 'rails', github: 'rails/rails.git'

But please don’t use git:// protocol. It’s insecure and allows a man-in-the-middle attach.

You could use SSH (give your ssh_key to CI so it could make a request) or use HTTPS (enter your github username and password each time bundle install) to pull gem code. However, that’s quite annoying.

Solution

1. Directly in the Gemfile

gem 'private', git: 'https://<username>:<password>@github.com/mycompany/private.git'
gem 'private', git: 'https://x-access-token:<token>@github.com/mycompany/private.git'

-> That is not a great idea. Cause you put sensitive information in source code.

2. Use bundle config

Ref: Config bundler

$ bundle config GITHUB__COM username:password
$ bundle config --local GITHUB__COM username:password

-> Take username/password out of the source code.

3. Use bundle config with environment variables

$ export BUNDLE_GITHUB__COM=username:password
$ export BUNDLE_GITHUB__COM=x-access-token:<token>

Reference:

• https://depfu.com/blog/2017/08/02/bundler-and-private-dependencies:w
• https://blog.eq8.eu/article/github-credentials-in-bundler.html