From 82e8273969f22e31e8ef9e7b5dffa62b1715cc90 Mon Sep 17 00:00:00 2001
From: Kayos <kayos@sulkta.com>
Date: Wed, 6 May 2026 13:45:55 -0700
Subject: [PATCH] =?UTF-8?q?build(docker):=20mount=20git=20credentials=20as?=
 =?UTF-8?q?=20buildkit=20secret=20for=20pallas=20SSH=E2=86=92HTTP=20fetch?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The pallas patch in [patch.crates-io] is now ssh://git@gitea after the
2026-05-06 token-scrub. Inside a docker build the rust container has no
SSH key and no known_hosts for gitea, so cargo's libgit2 / system-git
both reject the fetch.

Mount /root/.git-credentials as a BuildKit secret (mode=0400, required)
and set a build-time `url.HTTP.insteadOf SSH` rewrite. Cargo.toml and
Cargo.lock keep their SSH URLs — the rewrite is git-CLI-level so no
credential ever lands in the lock file or in any image layer.

Build invocation:
  docker build --secret id=git_credentials,src=<creds-file> ...

where <creds-file> is one line `http://USER:PAT@192.168.0.5:3001`.

This mirrors the pattern crafting-table already uses on its runner
(.git-credentials + url.insteadOf rewrite). nightly-builds.sh on Lucy
will need an analogous --secret arg before it can rebuild this branch.
---
 Dockerfile | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 04b1eca..b69701b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.4
 # aldabra — Cardano lite wallet over MCP.
 #
 # Multi-stage:
@@ -44,7 +45,15 @@ COPY crates ./crates
 # trick above leaves stale build artifacts otherwise.
 RUN find crates -name '*.rs' -exec touch {} +
 
-RUN cargo build --release --bin aldabra && \
+# Fetch the pallas patch dep via HTTP+PAT at build time. Source URLs
+# stay SSH (Cargo.toml + Cargo.lock) — the rewrite is git-CLI-level
+# only, so no credential gets baked into the lock file or the image.
+# Pass `--secret id=git_credentials,src=<file>` where <file> is one
+# line: http://USER:PAT@192.168.0.5:3001
+RUN --mount=type=secret,id=git_credentials,target=/root/.git-credentials,mode=0400,required=true \
+    git config --global credential.helper store && \
+    git config --global url."http://192.168.0.5:3001/".insteadOf "ssh://git@192.168.0.5:23/" && \
+    cargo build --release --bin aldabra && \
     strip target/release/aldabra
 
 FROM debian:bookworm-slim AS runtime