Add SSH key mounting support for private repository access

Co-authored-by: jhulten <[email protected]>

Author: Copilot

README.md

@@ -19,11 +19,21 @@ Build without initializing a dotfiles repo:
 docker build -t my-chezmoi ./chezmoi
 ```
 
-Build and initialize with a dotfiles repo:
+Build and initialize with a public dotfiles repo:
 ```bash
 docker build --build-arg CHEZMOI_REPO=https://github.com/username/dotfiles.git -t my-chezmoi ./chezmoi
 ```
 
+Build and initialize with a private dotfiles repo using SSH keys:
+```bash
+docker buildx build --ssh default --build-arg [email protected]:username/dotfiles.git -t my-chezmoi ./chezmoi
+```
+
+Build and initialize with a private dotfiles repo using token:
+```bash
+docker build --build-arg CHEZMOI_REPO=https://[email protected]/username/dotfiles.git -t my-chezmoi ./chezmoi
+```
+
 > [!WARNING]
 > Using `CHEZMOI_REPO` will execute code from the dotfiles repository during the build process. Only use with trusted repositories.
 

chezmoi/Dockerfile

@@ -18,9 +18,19 @@ RUN mise use --global aqua:twpayne/chezmoi@${CHEZMOI_VERSION}
 # Optional: Initialize chezmoi with a dotfiles repo
 # WARNING: This will execute code from the dotfiles repository during build.
 # Only use with trusted repositories.
+#
+# For public repos or repos with token:
+#   docker build --build-arg CHEZMOI_REPO=https://github.com/user/dotfiles.git
+#   docker build --build-arg CHEZMOI_REPO=https://[email protected]/user/dotfiles.git
+#
+# For private repos with SSH:
+#   docker buildx build --ssh default --build-arg [email protected]:user/dotfiles.git
 ARG CHEZMOI_REPO=""
-RUN if [ -n "$CHEZMOI_REPO" ]; then \
-  chezmoi init --apply "$CHEZMOI_REPO"; \
+RUN --mount=type=ssh \
+  mkdir -p ~/.ssh && \
+  ssh-keyscan github.com >> ~/.ssh/known_hosts 2>/dev/null || true && \
+  if [ -n "$CHEZMOI_REPO" ]; then \
+    chezmoi init --apply "$CHEZMOI_REPO"; \
   fi
 
 CMD ["/bin/zsh"]