Private repos behind firewall

Usually cloud CI\CD tools provide the list of ips to be whitelisted on private corporate repos/firewalls. Where can I find such list for EAS? Seems nothing in the docs

Try mailing secure@expo.dev

@sponde any news on this ?

I’m trying to switch to EAS build instead of the old way … But I’m facing problems with private repo on a private github which won’t be exposed … Can’t we switch back to the bundle being created locally ? …

@seba99 have you tried the following? If so, what happened?

1 Like

Yes, I tried :’(

But it’s a private registry and it’s mandatory to have a VPN acces to connect to it …

Althought I have :

I’m still facing this :

( It’s not gitlab.com … It a custom private gitlab instance )

What VPN? It might be possible to install the VPN software on the build server using a eas-build-pre-install hook.

Another option would be running builds on your own infrastructure.

The project hasn’t got any CI/CD settled yet.
I just ran the expo build:android|ios locally from my computer.

That’s why I’m annoyed with eas build changes : We won’t be able to build IPA from linux / windows as we used to do. ( When using private registries are on the line I’ve opened this thread )

it’s Open VPN but installing a VPN in a pre-install hook seems overcomplicated …

I’ll stick to the expo build system for now :frowning:

You might be able to get EAS Build to upload your node_modules (e.g. by making use of .easignore).

I tried emailing, but they just sent me all of the possible ip ranges of google cloud and aws, very frustrating. I am sure there will be lots of users who need exact IPs, hope they’ll update documentation in the nearest future

I suppose if they spin up build servers as needed it’s possible that the servers will get any of Google’s/AWS’s IPs :confused:

If I needed to do something like this I’d try to figure out a way to get EAS to upload the private dependencies.

e.g. see the following: How can I upload files to EAS Build if they are gitignored?

Alternatively I would build the apps on my company’s own infrastructure.

The .easignore thing seems interesting. Too bad it’s not mentionned in the docs … yet ! :upside_down_face:

But i fear it won’t help … As stated :

The node_modules directory is ignored by default.

I’ve tried to include this in my .easignore hoping that it will obey those patterns rules because I’m trying the opposite of ignoring … :sweat:

!node_modules/myPrivateModule/
!node_modules/myPrivateModule/*
!node_modules/myPrivateModule/**/*

But then the npm install is still trying to connect to the private package …
I don’t even know if the .easignore trick worked …

Is there a way to prevent npm to install certain modules ? :sweat_smile:

The only difference I saw was that the log act strangely :

So, … I’ve tried to delete the line in the package.json where it install the package …

Then the install step pass in EAS build …
But the fastlane step fails … So the .easignore ignore pattern doesn’t overides the gitgnore … Was worth a try :frowning_face:

@seba99
.easignore overrides .gitingore, but node_modules is explicitly ignored in code, so it’s not possible to upload it even by mistake. Even if you would able to add node_modules the upload would take a long time and very likely you would hit the upload limit.

@sponde
As for the original problem, we don’t have a good solution given your current infrastructure, but your idea was possible with EAS it is still a bit questionable. If you would be willing to allow traffic from eas to access stuff behind your VPN, so any eas client could potentially use it, then a far more secure option is to put your npm registry publicly and rely on registry authentication for security. Of course, the most secure option would be to install VPN client on the builders, but you already mentioned that you don’t want to do this.

@wkozyra
If it’s only for 1 private (and small) package it won’t hit the upload limit I think … How much is this limit btw ?

Do you see any workaround then ?
(Beside just adding the source of that private package directly in my source code… This is the ugliest but the solution I’m leading to … )