- Generate a new deploy key. You should not add a password (leave blank) since you would have to provide it every time, rendering the automatization useless. Save the private part of the key to the file my-key.key.
- Add the generated key as deploy key to your GitHub repository. You should make sure to keep the key read-only (default).
- Add a secret to Now which can be used in the Deployment:
$ now secret add example-deploy-key "$(cat my-key.key | base64)"Encoding the file using base64 is no "Security through obscurity" but instead ensures there are no encoding problems (e.g. newlines \n cause errors in the Now CLI). We trust Now to transmit and store the secret values in a secure manner.
- Reference the secret as build-time environment variable (--build-argin Docker).
Part of now.json:
{
  "env": {
    "NODE_ENV": "production"
  },
  "build": {
    "env": {
      "EXAMPLE_DEPLOY_KEY": "@example-deploy-key"
    }
  }
}Putting the @ in front of an identifier tries to resolve the secret with the same name.
We can now access the value in the Dockerfile:
ARG EXAMPLE_DEPLOY_KEY
RUN echo $EXAMPLE_DEPLOY_KEYNOTE: You can only read secrets from the current scope, e.g. if you created the secret with a team scope (now --team peerigon secret add some-secret-name some-secret-value you'll need to run the now command with the same scope.
I hope this helps someone!
@pawelotto I haven't tried it but as https://github.com/zeit/now-builders/issues/49 got merged this may not be necessary anymore because the
gitexecutable is now available at build time.Also https://zeit.co/docs/v2/deployments/official-builders/node-js-now-node/#private-npm-modules is interesting if you are using a private registry. It allows you to specify
NPM_TOKENandNPM_RCasbuild.envwhich can be very handy depending on your use case.