I've seen this be a stumbling block, so I figured I'd share: The Vanilla DevOps Git Credentials & Private Packages Cheatsheet https://coolaj86.com/articles/vanilla-devops-git-credentials-cheatsheet/
When you have private packages (npm, gem, go, python eggs, etc) And you want to be able to use the normal package management tools (package.json, Gemfile, go.mod, requirements.txt, etc), or share with users based on ACL You need to use SSH Keys or Access Tokens that are safe to put in deploy environment variables (Circle / Drone / Heroku / Akkeris / Docker / etc) I listed every possible way to do that, tested each one, and determined what appears to be a fail-proof way that I'd recommend above all other approaches. Hope this helps a few of you. I'm sure you will run into this at some point if you haven't already. AJ ONeal https://git.coolaj86.com /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */