Install private NPM dependencies using git+ssh on Now. Based on https://zeit.co/blog/build-env to work around missing support for git+ssh dependencies in now@2 (https://github.com/zeit/now-builders/issues/49)

Dockerfile

# This is a multi-stage build to not spill the contents of the deploy_key
FROM mhart/alpine-node:10 as base

# We need git and openssh to resolve `git+ssh` links in package.json
RUN apk update \
    && apk add git openssh

WORKDIR /usr/src
COPY package*.json ./

# Pass through Now build-env as Docker build-arg
ARG EXAMPLE_DEPLOY_KEY

# Setup key file during build stage
RUN mkdir -p ~/.ssh
RUN echo $EXAMPLE_DEPLOY_KEY | base64 -d > ~/.ssh/deploy_key
RUN chmod 600 ~/.ssh/deploy_key

# Add github.com to known hosts to avoid error
RUN ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts

# Install dependencies (incl. `git+ssh` links)
ENV GIT_SSH_COMMAND "ssh -i ~/.ssh/deploy_key"
RUN npm install

# Copy resulting output and build app
COPY . .
RUN npm run now-build

# Finally, assemble the running image
FROM mhart/alpine-node:base-10
WORKDIR /usr/src

# Now v1 expects static assets at `/public`
RUN mkdir /public
COPY --from=base /usr/src/build /public

now.json

{
  "version": 1,
  "public": false,
  "name": "example-project",
  "alias": "example-project.peerigon.io",
  "type": "static",
  "scale": {
    "bru1": {
      "min": 0,
      "max": 1
    }
  },
  "static": {
    "rewrites": [
      {
        "source": "**",
        "destination": "/index.html"
      }
    ]
  },
  "env": {
    "NODE_ENV": "production"
  },
  "build": {
    "env": {
      "EXAMPLE_DEPLOY_KEY": "@example-deploy-key"
    }
  }
}

package.json

{
    "name": "example-project",
    "version": "0.1.0",
    "private": true,
    "dependencies": {
        "private-module": "git+ssh://[email protected]/peerigon/private-module.git",
        "prop-types": "^15.6.2",
        "react": "^16.6.0",
        "react-dom": "^16.6.0",
        "react-scripts": "2.0.5"
    },
    "scripts": {
        "start": "react-scripts start",
        "build": "react-scripts build",
        "test": "react-scripts test",
        "now-build": "npm run build"
    }
}

setup.md

Setup

1. Generate a new deploy key. You should not add a password (leave blank) since you would have to provide it every time, rendering the automatization useless. Save the private part of the key to the file my-key.key.
2. Add the generated key as deploy key to your GitHub repository. You should make sure to keep the key read-only (default).
3. Add a secret to Now which can be used in the Deployment:

$ now secret add example-deploy-key "$(cat my-key.key | base64)"

Encoding the file using base64 is no "Security through obscurity" but instead ensures there are no encoding problems (e.g. newlines \n cause errors in the Now CLI). We trust Now to transmit and store the secret values in a secure manner.

4. Reference the secret as build-time environment variable (--build-arg in Docker).

Part of now.json:

{
  "env": {
    "NODE_ENV": "production"
  },
  "build": {
    "env": {
      "EXAMPLE_DEPLOY_KEY": "@example-deploy-key"
    }
  }
}

Putting the @ in front of an identifier tries to resolve the secret with the same name.

We can now access the value in the Dockerfile:

ARG EXAMPLE_DEPLOY_KEY
RUN echo $EXAMPLE_DEPLOY_KEY

NOTE: You can only read secrets from the current scope, e.g. if you created the secret with a team scope (now --team peerigon secret add some-secret-name some-secret-value you'll need to run the now command with the same scope.

---

I hope this helps someone!