You’re working with a Github repo that’s private and you want to include it in your Gemfile, but when you deploy it to production from a CI server or a service like Fly.io that doesn’t have access to build secrets.

What do you do?

One option is to user a personal access token to create a private URL that can be used in your Gemfile. The problem? Github doesn’t make this a straight-forward task. Here’s how you can do it.

Enable fine-grained personal access tokens

First, you’ll need to enable fine-grained personal access tokens. I could give you all the clicking instructions, but it changes and you won’t read it anyway. So instead change the $ORGANIZATION to your organization name and visit the following URL.

https://github.com/organizations/$ORGANIZATION/settings/personal-access-tokens-onboarding

Github will present you with a weird wizard and a bunch of stuff to read where you’ll enable fine-grained access tokens for the organization. Do not enable personal access tokens (class) unless you know you need them.

Create a personal access token

Yay, now you get to jump to a completely part of Github to create a token. Go to https://github.com/settings/personal-access-tokens/new and you’ll see a “Confirm access” screen that looks like a login screen. You’ll enter your MFA token and finally see a “New fine-grained personal access token” screen.

The less obvious stuff

I’m going to skip describing the required fields since they’re self-evident and validations will make sure you get the right thing, so let’s look at the less obvious stuff that is important and get to the point.

Repository access

Select “Only select repositories” and fine the private repos you want to access.

Permissions

Find the “Repository permissions” box, then click on it to expand it. Now scroll down to “Contents”, and select “Read-only” from the drop-down.

Generate token

Once you have the less obvious stuff configured, click “Generate token” and you’ll see a screen with a token. Don’t close this window because we’re going to copy and paste that token into your Gemfile.

Craft a URL for your Gemfile

Now that you have a token, you can craft a URL for your Gemfile. Here’s what it should look like.

gem "my-gem", git: "https://$TOKEN:x-oauth-basic@github.com/$ORG/$REPO"

Replace $TOKEN with your token, $ORG with your organization name, and $REPO with your repository name. Here’s what it will look like with realish values.

gem "my-gem", git: "https://github_pat_12AACBEFD0cbpvQu0Abzip_SwSSklasiedjcnIUd1BjnW1Sm2E0Lksjid93jE5GWP1UqqVHUf:x-oauth-basic@github.com/my-org/my-gem"

Now you can run bundle install and your gem will be installed from your private repository.

Security concerns

Yep, you’re going to commit this super secret token to your Github repository. You’ll want to make sure it’s not the end of the world if this URL is exposed and somebody gets the contents of the repo.

Support this blog 🤗

If you like what you read and want to see more articles like this, please consider using Terminalwire for your web application’s command-line interface. In under 10 minutes you can build a command-line in your favorite language and web framework, deploy it to your server, then stream it to the Terminalwire thin-client that runs on your users desktops. Terminalwire manages the binaries, installation, and updates, so you can focus on building a great CLI experience.