From 9d3d07468a962ac70c2d54f9c8ae79bff52fe82f Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Thu, 11 Apr 2019 17:28:39 -0400
Subject: Add docs for private repo builds

---
 builds.sr.ht/private-repos.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 builds.sr.ht/private-repos.md

diff --git a/builds.sr.ht/private-repos.md b/builds.sr.ht/private-repos.md
new file mode 100644
index 0000000..9231517
--- /dev/null
+++ b/builds.sr.ht/private-repos.md
@@ -0,0 +1,25 @@
+# Private repos in builds.sr.ht jobs
+
+<div class="alert alert-danger">
+  <strong>Warning!</strong> The list of commands run in a builds.sr.ht job, as
+  well as their stdout and stderr, are visible to the public - even if the job
+  uses a private repository. Take care not to leak any secrets this way.
+</div>
+
+builds.sr.ht can use private repos on git.sr.ht and elsewhere, but you have to
+configure each job with an SSH key that has access to your account.
+
+1. Generate an SSH key and [add it to your account](https://meta.sr.ht/keys)
+1. Add a secret using the [secrets management page](https://builds.sr.ht/secrets)
+1. Copy the secret's UUID into your build manifest's secrets list.
+1. Update your sources list to use the SSH clone URL - not the https clone URL.
+
+The resulting build manifest should look something like this:
+
+```yaml
+image: # ...
+secrets:
+- c043e12e-a297-4ece-b09c-bb5a99dc4094
+sources:
+- git@git.sr.ht:~yourname/your-private-repo
+```
-- 
cgit