fixup - Use ssh auth instead of OAuth

Oauth tokens have access to all repos, whereas ssh keys have access
per-repo.

Author: rvl

scripts/update-external.nix

@@ -5,9 +5,9 @@
 with stdenv.lib;
 
 let
-  repo = "github.com/input-output-hk/${name}.nix.git";
-  tokenFile = "/run/keys/buildkite-nix-tools-token";
-  githubUser = "iohk-devops";
+  repoHTTPS = "https://github.com/input-output-hk/${name}.nix.git";
+  repoSSH = "[email protected]:input-output-hk/${name}.nix.git";
+  sshKey = "/run/keys/buildkite-${name}-ssh-private";
 in
   writeScript "update-${name}-nix.sh" ''
     #!${stdenv.shell}
@@ -23,17 +23,17 @@ in
 
     rev=$(git rev-parse HEAD)
 
-    if [ -f ${tokenFile} ];
-      echo "Authenticating as ${githubUser}"
-      auth="${githubUser}:$(head -n1 ${tokenFile})@"
+    if [ -e ${sshKey} ];
+      echo "Authenticating using SSH with ${sshKey}"
+      export GIT_SSH_COMMAND="ssh -i ${sshKey} -F /dev/null"
     else
-      echo "There is no GitHub token in ${tokenFile}"
-      auth=""
+      echo "There is no SSH key at ${sshKey}"
+      echo "Git push may not work."
     fi
 
-    git push "https://''${auth}${repo}"
+    git push ${repoSSH}
 
     cd ..
 
-    nix-prefetch-git https://${repo} --rev "$rev" | tee ${name}-src.json
+    nix-prefetch-git ${repoHTTPS} --rev "$rev" | tee ${name}-src.json
   ''