mirror of
https://github.com/docker/build-push-action.git
synced 2024-12-25 16:22:12 -05:00
feat: add secret-envs input
Signed-off-by: Elias Lundgren <145569914+elias-lundgren@users.noreply.github.com>
This commit is contained in:
parent
4c1b68d83a
commit
5f01267817
7 changed files with 161 additions and 23 deletions
25
.github/workflows/ci.yml
vendored
25
.github/workflows/ci.yml
vendored
|
@ -393,6 +393,31 @@ jobs:
|
|||
MYSECRET=foo
|
||||
INVALID_SECRET=
|
||||
|
||||
secret-env:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
-
|
||||
name: Set up Docker buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
with:
|
||||
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
|
||||
driver-opts: |
|
||||
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
|
||||
-
|
||||
name: Build
|
||||
uses: ./
|
||||
env:
|
||||
ENV_SECRET: foo
|
||||
with:
|
||||
context: .
|
||||
file: ./test/secret.Dockerfile
|
||||
secret-envs: |
|
||||
MYSECRET=ENV_SECRET
|
||||
INVALID_SECRET=
|
||||
|
||||
network:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
|
|
@ -238,6 +238,7 @@ Following inputs can be used as `step.with` keys
|
|||
| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) |
|
||||
| `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) |
|
||||
| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
|
||||
| `secret-envs` | List/CSV | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build using environment variables (e.g., MY_SECRET=MY_ENV_VAR) |
|
||||
| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
|
||||
| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
|
||||
| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build |
|
||||
|
|
|
@ -619,6 +619,49 @@ nproc=3`],
|
|||
'.'
|
||||
]
|
||||
],
|
||||
[
|
||||
25,
|
||||
'0.10.0',
|
||||
new Map<string, string>([
|
||||
['context', '.'],
|
||||
['no-cache', 'false'],
|
||||
['load', 'true'],
|
||||
['push', 'false'],
|
||||
['pull', 'false'],
|
||||
['secret-envs', `MY_SECRET=MY_SECRET_ENV
|
||||
ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
|
||||
]),
|
||||
[
|
||||
'build',
|
||||
'--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
|
||||
'--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
|
||||
'--iidfile', path.join(tmpDir, 'iidfile'),
|
||||
'--load',
|
||||
'--metadata-file', path.join(tmpDir, 'metadata-file'),
|
||||
'.'
|
||||
]
|
||||
],
|
||||
[
|
||||
26,
|
||||
'0.10.0',
|
||||
new Map<string, string>([
|
||||
['context', '.'],
|
||||
['no-cache', 'false'],
|
||||
['load', 'true'],
|
||||
['push', 'false'],
|
||||
['pull', 'false'],
|
||||
['secret-envs', 'MY_SECRET=MY_SECRET_ENV,ANOTHER_SECRET=ANOTHER_SECRET_ENV']
|
||||
]),
|
||||
[
|
||||
'build',
|
||||
'--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
|
||||
'--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
|
||||
'--iidfile', path.join(tmpDir, 'iidfile'),
|
||||
'--load',
|
||||
'--metadata-file', path.join(tmpDir, 'metadata-file'),
|
||||
'.'
|
||||
]
|
||||
],
|
||||
])(
|
||||
'[%d] given %p with %p as inputs, returns %p',
|
||||
async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
|
||||
|
|
|
@ -80,6 +80,9 @@ inputs:
|
|||
secrets:
|
||||
description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
|
||||
required: false
|
||||
secret-envs:
|
||||
description: "List of secrets to expose to the build using environment variables (e.g., MY_SECRET=MY_ENV_VAR)"
|
||||
required: false
|
||||
secret-files:
|
||||
description: "List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)"
|
||||
required: false
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
"license": "Apache-2.0",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@docker/actions-toolkit": "^0.12.0",
|
||||
"@docker/actions-toolkit": "0.13.0-rc.1",
|
||||
"handlebars": "^4.7.7"
|
||||
},
|
||||
"devDependencies": {
|
||||
|
|
|
@ -30,6 +30,7 @@ export interface Inputs {
|
|||
push: boolean;
|
||||
sbom: string;
|
||||
secrets: string[];
|
||||
secretEnvs: string[];
|
||||
secretFiles: string[];
|
||||
shmSize: string;
|
||||
ssh: string[];
|
||||
|
@ -64,6 +65,7 @@ export async function getInputs(): Promise<Inputs> {
|
|||
push: core.getBooleanInput('push'),
|
||||
sbom: core.getInput('sbom'),
|
||||
secrets: Util.getInputList('secrets', {ignoreComma: true}),
|
||||
secretEnvs: Util.getInputList('secret-envs'),
|
||||
secretFiles: Util.getInputList('secret-files', {ignoreComma: true}),
|
||||
shmSize: core.getInput('shm-size'),
|
||||
ssh: Util.getInputList('ssh'),
|
||||
|
@ -116,6 +118,13 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
|
|||
if (inputs.cgroupParent) {
|
||||
args.push('--cgroup-parent', inputs.cgroupParent);
|
||||
}
|
||||
await Util.asyncForEach(inputs.secretEnvs, async secretEnv => {
|
||||
try {
|
||||
args.push('--secret', BuildxInputs.resolveBuildSecretEnv(secretEnv));
|
||||
} catch (err) {
|
||||
core.warning(err.message);
|
||||
}
|
||||
});
|
||||
if (inputs.file) {
|
||||
args.push('--file', inputs.file);
|
||||
}
|
||||
|
|
101
yarn.lock
101
yarn.lock
|
@ -731,19 +731,20 @@
|
|||
dependencies:
|
||||
"@jridgewell/trace-mapping" "0.3.9"
|
||||
|
||||
"@docker/actions-toolkit@^0.12.0":
|
||||
version "0.12.0"
|
||||
resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.12.0.tgz#aa0ba45ac278234171a12637779b8e2687f25edc"
|
||||
integrity sha512-yHhXt1te5AWZsmuIUcoAv5fH4kQ2huiLpdkm0pXUHY6GJrVDfClEE5nc6BXWSBDTZIbrKBTkbCjEnK6euWr65g==
|
||||
"@docker/actions-toolkit@0.13.0-rc.1":
|
||||
version "0.13.0-rc.1"
|
||||
resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.13.0-rc.1.tgz#98085dcc1467c0e18f9e1104f81687ffa8b6cd15"
|
||||
integrity sha512-vdHaxguKszNPDnaAW8kpvKPgmwzf3cmCnBKBT7x9mYedhhYvRmZn17MwD31n5BRrtASktSXUj4S5eVxa532klw==
|
||||
dependencies:
|
||||
"@actions/cache" "^3.2.2"
|
||||
"@actions/core" "^1.10.0"
|
||||
"@actions/core" "^1.10.1"
|
||||
"@actions/exec" "^1.1.1"
|
||||
"@actions/github" "^5.1.1"
|
||||
"@actions/http-client" "^2.1.1"
|
||||
"@actions/io" "^1.1.3"
|
||||
"@actions/tool-cache" "^2.0.1"
|
||||
"@octokit/plugin-rest-endpoint-methods" "^7.2.3"
|
||||
"@octokit/core" "^5.0.1"
|
||||
"@octokit/plugin-rest-endpoint-methods" "^10.0.0"
|
||||
async-retry "^1.3.3"
|
||||
csv-parse "^5.5.0"
|
||||
handlebars "^4.7.8"
|
||||
|
@ -1134,6 +1135,11 @@
|
|||
dependencies:
|
||||
"@octokit/types" "^6.0.3"
|
||||
|
||||
"@octokit/auth-token@^4.0.0":
|
||||
version "4.0.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/auth-token/-/auth-token-4.0.0.tgz#40d203ea827b9f17f42a29c6afb93b7745ef80c7"
|
||||
integrity sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA==
|
||||
|
||||
"@octokit/core@^3.6.0":
|
||||
version "3.6.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/core/-/core-3.6.0.tgz#3376cb9f3008d9b3d110370d90e0a1fcd5fe6085"
|
||||
|
@ -1147,6 +1153,19 @@
|
|||
before-after-hook "^2.2.0"
|
||||
universal-user-agent "^6.0.0"
|
||||
|
||||
"@octokit/core@^5.0.1":
|
||||
version "5.0.1"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/core/-/core-5.0.1.tgz#865da2b30d54354cccb6e30861ddfa0e24494780"
|
||||
integrity sha512-lyeeeZyESFo+ffI801SaBKmCfsvarO+dgV8/0gD8u1d87clbEdWsP5yC+dSj3zLhb2eIf5SJrn6vDz9AheETHw==
|
||||
dependencies:
|
||||
"@octokit/auth-token" "^4.0.0"
|
||||
"@octokit/graphql" "^7.0.0"
|
||||
"@octokit/request" "^8.0.2"
|
||||
"@octokit/request-error" "^5.0.0"
|
||||
"@octokit/types" "^12.0.0"
|
||||
before-after-hook "^2.2.0"
|
||||
universal-user-agent "^6.0.0"
|
||||
|
||||
"@octokit/endpoint@^6.0.1":
|
||||
version "6.0.5"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-6.0.5.tgz#43a6adee813c5ffd2f719e20cfd14a1fee7c193a"
|
||||
|
@ -1156,6 +1175,15 @@
|
|||
is-plain-object "^4.0.0"
|
||||
universal-user-agent "^6.0.0"
|
||||
|
||||
"@octokit/endpoint@^9.0.0":
|
||||
version "9.0.1"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-9.0.1.tgz#c3f69d27accddcb04a3199fcef541804288149d2"
|
||||
integrity sha512-hRlOKAovtINHQPYHZlfyFwaM8OyetxeoC81lAkBy34uLb8exrZB50SQdeW3EROqiY9G9yxQTpp5OHTV54QD+vA==
|
||||
dependencies:
|
||||
"@octokit/types" "^12.0.0"
|
||||
is-plain-object "^5.0.0"
|
||||
universal-user-agent "^6.0.0"
|
||||
|
||||
"@octokit/graphql@^4.5.8":
|
||||
version "4.6.1"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-4.6.1.tgz#f975486a46c94b7dbe58a0ca751935edc7e32cc9"
|
||||
|
@ -1165,15 +1193,24 @@
|
|||
"@octokit/types" "^6.0.3"
|
||||
universal-user-agent "^6.0.0"
|
||||
|
||||
"@octokit/graphql@^7.0.0":
|
||||
version "7.0.2"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-7.0.2.tgz#3df14b9968192f9060d94ed9e3aa9780a76e7f99"
|
||||
integrity sha512-OJ2iGMtj5Tg3s6RaXH22cJcxXRi7Y3EBqbHTBRq+PQAqfaS8f/236fUrWhfSn8P4jovyzqucxme7/vWSSZBX2Q==
|
||||
dependencies:
|
||||
"@octokit/request" "^8.0.1"
|
||||
"@octokit/types" "^12.0.0"
|
||||
universal-user-agent "^6.0.0"
|
||||
|
||||
"@octokit/openapi-types@^11.2.0":
|
||||
version "11.2.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-11.2.0.tgz#b38d7fc3736d52a1e96b230c1ccd4a58a2f400a6"
|
||||
integrity sha512-PBsVO+15KSlGmiI8QAzaqvsNlZlrDlyAJYcrXBCvVUxCp7VnXjkwPoFHgjEJXx3WF9BAwkA6nfCUA7i9sODzKA==
|
||||
|
||||
"@octokit/openapi-types@^18.0.0":
|
||||
version "18.0.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-18.0.0.tgz#f43d765b3c7533fd6fb88f3f25df079c24fccf69"
|
||||
integrity sha512-V8GImKs3TeQRxRtXFpG2wl19V7444NIOTDF24AWuIbmNaNYOQMWRbjcGDXV5B+0n887fgDcuMNOmlul+k+oJtw==
|
||||
"@octokit/openapi-types@^19.0.0":
|
||||
version "19.0.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-19.0.0.tgz#0101bf62ab14c1946149a0f8385440963e1253c4"
|
||||
integrity sha512-PclQ6JGMTE9iUStpzMkwLCISFn/wDeRjkZFIKALpvJQNBGwDoYYi2fFvuHwssoQ1rXI5mfh6jgTgWuddeUzfWw==
|
||||
|
||||
"@octokit/openapi-types@^7.0.0":
|
||||
version "7.0.0"
|
||||
|
@ -1187,6 +1224,13 @@
|
|||
dependencies:
|
||||
"@octokit/types" "^6.34.0"
|
||||
|
||||
"@octokit/plugin-rest-endpoint-methods@^10.0.0":
|
||||
version "10.0.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-10.0.0.tgz#040b36d6a15d4c7c534b0f44050051225f884cae"
|
||||
integrity sha512-16VkwE2v6rXU+/gBsYC62M8lKWOphY5Lg4wpjYnVE9Zbu0J6IwiT5kILoj1YOB53XLmcJR+Nqp8DmifOPY4H3g==
|
||||
dependencies:
|
||||
"@octokit/types" "^12.0.0"
|
||||
|
||||
"@octokit/plugin-rest-endpoint-methods@^5.13.0":
|
||||
version "5.13.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.13.0.tgz#8c46109021a3412233f6f50d28786f8e552427ba"
|
||||
|
@ -1195,13 +1239,6 @@
|
|||
"@octokit/types" "^6.34.0"
|
||||
deprecation "^2.3.1"
|
||||
|
||||
"@octokit/plugin-rest-endpoint-methods@^7.2.3":
|
||||
version "7.2.3"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-7.2.3.tgz#37a84b171a6cb6658816c82c4082ac3512021797"
|
||||
integrity sha512-I5Gml6kTAkzVlN7KCtjOM+Ruwe/rQppp0QU372K1GP7kNOYEKe8Xn5BW4sE62JAHdwpq95OQK/qGNyKQMUzVgA==
|
||||
dependencies:
|
||||
"@octokit/types" "^10.0.0"
|
||||
|
||||
"@octokit/request-error@^2.0.0":
|
||||
version "2.0.2"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-2.0.2.tgz#0e76b83f5d8fdda1db99027ea5f617c2e6ba9ed0"
|
||||
|
@ -1229,6 +1266,15 @@
|
|||
deprecation "^2.0.0"
|
||||
once "^1.4.0"
|
||||
|
||||
"@octokit/request-error@^5.0.0":
|
||||
version "5.0.1"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-5.0.1.tgz#277e3ce3b540b41525e07ba24c5ef5e868a72db9"
|
||||
integrity sha512-X7pnyTMV7MgtGmiXBwmO6M5kIPrntOXdyKZLigNfQWSEQzVxR4a4vo49vJjTWX70mPndj8KhfT4Dx+2Ng3vnBQ==
|
||||
dependencies:
|
||||
"@octokit/types" "^12.0.0"
|
||||
deprecation "^2.0.0"
|
||||
once "^1.4.0"
|
||||
|
||||
"@octokit/request@^5.3.0":
|
||||
version "5.4.7"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/request/-/request-5.4.7.tgz#fd703ee092e0463ceba49ff7a3e61cb4cf8a0fde"
|
||||
|
@ -1255,12 +1301,23 @@
|
|||
node-fetch "^2.6.7"
|
||||
universal-user-agent "^6.0.0"
|
||||
|
||||
"@octokit/types@^10.0.0":
|
||||
version "10.0.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/types/-/types-10.0.0.tgz#7ee19c464ea4ada306c43f1a45d444000f419a4a"
|
||||
integrity sha512-Vm8IddVmhCgU1fxC1eyinpwqzXPEYu0NrYzD3YZjlGjyftdLBTeqNblRC0jmJmgxbJIsQlyogVeGnrNaaMVzIg==
|
||||
"@octokit/request@^8.0.1", "@octokit/request@^8.0.2":
|
||||
version "8.1.3"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/request/-/request-8.1.3.tgz#03d7fb9b5fe8b800cd5c10d008f99ac02f27e8b4"
|
||||
integrity sha512-iUvXP4QmysS8kyE/a4AGwR0A+tHDVxgW6TmPd2ci8/Xc8KjlBtTKSDpZlUT5Y4S4Nu+eM8LvbOYjVAp/sz3Gpg==
|
||||
dependencies:
|
||||
"@octokit/openapi-types" "^18.0.0"
|
||||
"@octokit/endpoint" "^9.0.0"
|
||||
"@octokit/request-error" "^5.0.0"
|
||||
"@octokit/types" "^12.0.0"
|
||||
is-plain-object "^5.0.0"
|
||||
universal-user-agent "^6.0.0"
|
||||
|
||||
"@octokit/types@^12.0.0":
|
||||
version "12.0.0"
|
||||
resolved "https://registry.yarnpkg.com/@octokit/types/-/types-12.0.0.tgz#6b34309288b6f5ac9761d2589e3165cde1b95fee"
|
||||
integrity sha512-EzD434aHTFifGudYAygnFlS1Tl6KhbTynEWELQXIbTY8Msvb5nEqTZIm7sbPEt4mQYLZwu3zPKVdeIrw0g7ovg==
|
||||
dependencies:
|
||||
"@octokit/openapi-types" "^19.0.0"
|
||||
|
||||
"@octokit/types@^5.0.0", "@octokit/types@^5.0.1":
|
||||
version "5.4.1"
|
||||
|
|
Loading…
Reference in a new issue