feat: add secret-envs input

Signed-off-by: Elias Lundgren <145569914+elias-lundgren@users.noreply.github.com>

.github/workflows/ci.yml

@@ -393,6 +393,31 @@ jobs:
             MYSECRET=foo
             INVALID_SECRET=
 
+  secret-env:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        env:
+          ENV_SECRET: foo
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secret-envs: |
+            MYSECRET=ENV_SECRET
+            INVALID_SECRET=
+
   network:
     runs-on: ubuntu-latest
     steps:

README.md

@@ -238,6 +238,7 @@ Following inputs can be used as `step.with` keys
 | `push`             | Bool        | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`)                                     |
 | `sbom`             | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`)                                                  |
 | `secrets`          | List        | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`)                |
+| `secret-envs`      | List/CSV    | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build using environment variables (e.g., MY_SECRET=MY_ENV_VAR)      |
 | `secret-files`     | List        | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`)         |
 | `shm-size`         | String      | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`)                                                                    |
 | `ssh`              | List        | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build                                                 |

__tests__/context.test.ts

@@ -619,6 +619,49 @@ nproc=3`],
         '.'
       ]
     ],
+    [
+      25,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['no-cache', 'false'],
+        ['load', 'true'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['secret-envs', `MY_SECRET=MY_SECRET_ENV
+ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
+      ]),
+      [
+        'build',
+        '--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
+        '--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
+        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--load',
+        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '.'
+      ]
+    ],
+    [
+      26,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['no-cache', 'false'],
+        ['load', 'true'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['secret-envs', 'MY_SECRET=MY_SECRET_ENV,ANOTHER_SECRET=ANOTHER_SECRET_ENV']
+      ]),
+      [
+        'build',
+        '--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
+        '--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
+        '--iidfile', path.join(tmpDir, 'iidfile'),
+        '--load',
+        '--metadata-file', path.join(tmpDir, 'metadata-file'),
+        '.'
+      ]
+    ],
   ])(
     '[%d] given %p with %p as inputs, returns %p',
     async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {

action.yml

@@ -80,6 +80,9 @@ inputs:
   secrets:
     description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
     required: false
+  secret-envs:
+    description: "List of secrets to expose to the build using environment variables (e.g., MY_SECRET=MY_ENV_VAR)"
+    required: false
   secret-files:
     description: "List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)"
     required: false

package.json

@@ -27,7 +27,7 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.12.0",
+    "@docker/actions-toolkit": "0.13.0-rc.1",
     "handlebars": "^4.7.7"
   },
   "devDependencies": {

src/context.ts

@@ -30,6 +30,7 @@ export interface Inputs {
   push: boolean;
   sbom: string;
   secrets: string[];
+  secretEnvs: string[];
   secretFiles: string[];
   shmSize: string;
   ssh: string[];
@@ -64,6 +65,7 @@ export async function getInputs(): Promise<Inputs> {
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
     secrets: Util.getInputList('secrets', {ignoreComma: true}),
+    secretEnvs: Util.getInputList('secret-envs'),
     secretFiles: Util.getInputList('secret-files', {ignoreComma: true}),
     shmSize: core.getInput('shm-size'),
     ssh: Util.getInputList('ssh'),
@@ -116,6 +118,13 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
   if (inputs.cgroupParent) {
     args.push('--cgroup-parent', inputs.cgroupParent);
   }
+  await Util.asyncForEach(inputs.secretEnvs, async secretEnv => {
+    try {
+      args.push('--secret', BuildxInputs.resolveBuildSecretEnv(secretEnv));
+    } catch (err) {
+      core.warning(err.message);
+    }
+  });
   if (inputs.file) {
     args.push('--file', inputs.file);
   }

yarn.lock

@@ -731,19 +731,20 @@
   dependencies:
     "@jridgewell/trace-mapping" "0.3.9"
 
-"@docker/actions-toolkit@^0.12.0":
-  version "0.12.0"
-  resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.12.0.tgz#aa0ba45ac278234171a12637779b8e2687f25edc"
-  integrity sha512-yHhXt1te5AWZsmuIUcoAv5fH4kQ2huiLpdkm0pXUHY6GJrVDfClEE5nc6BXWSBDTZIbrKBTkbCjEnK6euWr65g==
+"@docker/actions-toolkit@0.13.0-rc.1":
+  version "0.13.0-rc.1"
+  resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.13.0-rc.1.tgz#98085dcc1467c0e18f9e1104f81687ffa8b6cd15"
+  integrity sha512-vdHaxguKszNPDnaAW8kpvKPgmwzf3cmCnBKBT7x9mYedhhYvRmZn17MwD31n5BRrtASktSXUj4S5eVxa532klw==
   dependencies:
     "@actions/cache" "^3.2.2"
-    "@actions/core" "^1.10.0"
+    "@actions/core" "^1.10.1"
     "@actions/exec" "^1.1.1"
     "@actions/github" "^5.1.1"
     "@actions/http-client" "^2.1.1"
     "@actions/io" "^1.1.3"
     "@actions/tool-cache" "^2.0.1"
-    "@octokit/plugin-rest-endpoint-methods" "^7.2.3"
+    "@octokit/core" "^5.0.1"
+    "@octokit/plugin-rest-endpoint-methods" "^10.0.0"
     async-retry "^1.3.3"
     csv-parse "^5.5.0"
     handlebars "^4.7.8"
@@ -1134,6 +1135,11 @@
   dependencies:
     "@octokit/types" "^6.0.3"
 
+"@octokit/auth-token@^4.0.0":
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/@octokit/auth-token/-/auth-token-4.0.0.tgz#40d203ea827b9f17f42a29c6afb93b7745ef80c7"
+  integrity sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA==
+
 "@octokit/core@^3.6.0":
   version "3.6.0"
   resolved "https://registry.yarnpkg.com/@octokit/core/-/core-3.6.0.tgz#3376cb9f3008d9b3d110370d90e0a1fcd5fe6085"
@@ -1147,6 +1153,19 @@
     before-after-hook "^2.2.0"
     universal-user-agent "^6.0.0"
 
+"@octokit/core@^5.0.1":
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/@octokit/core/-/core-5.0.1.tgz#865da2b30d54354cccb6e30861ddfa0e24494780"
+  integrity sha512-lyeeeZyESFo+ffI801SaBKmCfsvarO+dgV8/0gD8u1d87clbEdWsP5yC+dSj3zLhb2eIf5SJrn6vDz9AheETHw==
+  dependencies:
+    "@octokit/auth-token" "^4.0.0"
+    "@octokit/graphql" "^7.0.0"
+    "@octokit/request" "^8.0.2"
+    "@octokit/request-error" "^5.0.0"
+    "@octokit/types" "^12.0.0"
+    before-after-hook "^2.2.0"
+    universal-user-agent "^6.0.0"
+
 "@octokit/endpoint@^6.0.1":
   version "6.0.5"
   resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-6.0.5.tgz#43a6adee813c5ffd2f719e20cfd14a1fee7c193a"
@@ -1156,6 +1175,15 @@
     is-plain-object "^4.0.0"
     universal-user-agent "^6.0.0"
 
+"@octokit/endpoint@^9.0.0":
+  version "9.0.1"
+  resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-9.0.1.tgz#c3f69d27accddcb04a3199fcef541804288149d2"
+  integrity sha512-hRlOKAovtINHQPYHZlfyFwaM8OyetxeoC81lAkBy34uLb8exrZB50SQdeW3EROqiY9G9yxQTpp5OHTV54QD+vA==
+  dependencies:
+    "@octokit/types" "^12.0.0"
+    is-plain-object "^5.0.0"
+    universal-user-agent "^6.0.0"
+
 "@octokit/graphql@^4.5.8":
   version "4.6.1"
   resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-4.6.1.tgz#f975486a46c94b7dbe58a0ca751935edc7e32cc9"
@@ -1165,15 +1193,24 @@
     "@octokit/types" "^6.0.3"
     universal-user-agent "^6.0.0"
 
+"@octokit/graphql@^7.0.0":
+  version "7.0.2"
+  resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-7.0.2.tgz#3df14b9968192f9060d94ed9e3aa9780a76e7f99"
+  integrity sha512-OJ2iGMtj5Tg3s6RaXH22cJcxXRi7Y3EBqbHTBRq+PQAqfaS8f/236fUrWhfSn8P4jovyzqucxme7/vWSSZBX2Q==
+  dependencies:
+    "@octokit/request" "^8.0.1"
+    "@octokit/types" "^12.0.0"
+    universal-user-agent "^6.0.0"
+
 "@octokit/openapi-types@^11.2.0":
   version "11.2.0"
   resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-11.2.0.tgz#b38d7fc3736d52a1e96b230c1ccd4a58a2f400a6"
   integrity sha512-PBsVO+15KSlGmiI8QAzaqvsNlZlrDlyAJYcrXBCvVUxCp7VnXjkwPoFHgjEJXx3WF9BAwkA6nfCUA7i9sODzKA==
 
-"@octokit/openapi-types@^18.0.0":
-  version "18.0.0"
-  resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-18.0.0.tgz#f43d765b3c7533fd6fb88f3f25df079c24fccf69"
-  integrity sha512-V8GImKs3TeQRxRtXFpG2wl19V7444NIOTDF24AWuIbmNaNYOQMWRbjcGDXV5B+0n887fgDcuMNOmlul+k+oJtw==
+"@octokit/openapi-types@^19.0.0":
+  version "19.0.0"
+  resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-19.0.0.tgz#0101bf62ab14c1946149a0f8385440963e1253c4"
+  integrity sha512-PclQ6JGMTE9iUStpzMkwLCISFn/wDeRjkZFIKALpvJQNBGwDoYYi2fFvuHwssoQ1rXI5mfh6jgTgWuddeUzfWw==
 
 "@octokit/openapi-types@^7.0.0":
   version "7.0.0"
@@ -1187,6 +1224,13 @@
   dependencies:
     "@octokit/types" "^6.34.0"
 
+"@octokit/plugin-rest-endpoint-methods@^10.0.0":
+  version "10.0.0"
+  resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-10.0.0.tgz#040b36d6a15d4c7c534b0f44050051225f884cae"
+  integrity sha512-16VkwE2v6rXU+/gBsYC62M8lKWOphY5Lg4wpjYnVE9Zbu0J6IwiT5kILoj1YOB53XLmcJR+Nqp8DmifOPY4H3g==
+  dependencies:
+    "@octokit/types" "^12.0.0"
+
 "@octokit/plugin-rest-endpoint-methods@^5.13.0":
   version "5.13.0"
   resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.13.0.tgz#8c46109021a3412233f6f50d28786f8e552427ba"
@@ -1195,13 +1239,6 @@
     "@octokit/types" "^6.34.0"
     deprecation "^2.3.1"
 
-"@octokit/plugin-rest-endpoint-methods@^7.2.3":
-  version "7.2.3"
-  resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-7.2.3.tgz#37a84b171a6cb6658816c82c4082ac3512021797"
-  integrity sha512-I5Gml6kTAkzVlN7KCtjOM+Ruwe/rQppp0QU372K1GP7kNOYEKe8Xn5BW4sE62JAHdwpq95OQK/qGNyKQMUzVgA==
-  dependencies:
-    "@octokit/types" "^10.0.0"
-
 "@octokit/request-error@^2.0.0":
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-2.0.2.tgz#0e76b83f5d8fdda1db99027ea5f617c2e6ba9ed0"
@@ -1229,6 +1266,15 @@
     deprecation "^2.0.0"
     once "^1.4.0"
 
+"@octokit/request-error@^5.0.0":
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-5.0.1.tgz#277e3ce3b540b41525e07ba24c5ef5e868a72db9"
+  integrity sha512-X7pnyTMV7MgtGmiXBwmO6M5kIPrntOXdyKZLigNfQWSEQzVxR4a4vo49vJjTWX70mPndj8KhfT4Dx+2Ng3vnBQ==
+  dependencies:
+    "@octokit/types" "^12.0.0"
+    deprecation "^2.0.0"
+    once "^1.4.0"
+
 "@octokit/request@^5.3.0":
   version "5.4.7"
   resolved "https://registry.yarnpkg.com/@octokit/request/-/request-5.4.7.tgz#fd703ee092e0463ceba49ff7a3e61cb4cf8a0fde"
@@ -1255,12 +1301,23 @@
     node-fetch "^2.6.7"
     universal-user-agent "^6.0.0"
 
-"@octokit/types@^10.0.0":
-  version "10.0.0"
-  resolved "https://registry.yarnpkg.com/@octokit/types/-/types-10.0.0.tgz#7ee19c464ea4ada306c43f1a45d444000f419a4a"
-  integrity sha512-Vm8IddVmhCgU1fxC1eyinpwqzXPEYu0NrYzD3YZjlGjyftdLBTeqNblRC0jmJmgxbJIsQlyogVeGnrNaaMVzIg==
+"@octokit/request@^8.0.1", "@octokit/request@^8.0.2":
+  version "8.1.3"
+  resolved "https://registry.yarnpkg.com/@octokit/request/-/request-8.1.3.tgz#03d7fb9b5fe8b800cd5c10d008f99ac02f27e8b4"
+  integrity sha512-iUvXP4QmysS8kyE/a4AGwR0A+tHDVxgW6TmPd2ci8/Xc8KjlBtTKSDpZlUT5Y4S4Nu+eM8LvbOYjVAp/sz3Gpg==
   dependencies:
-    "@octokit/openapi-types" "^18.0.0"
+    "@octokit/endpoint" "^9.0.0"
+    "@octokit/request-error" "^5.0.0"
+    "@octokit/types" "^12.0.0"
+    is-plain-object "^5.0.0"
+    universal-user-agent "^6.0.0"
+
+"@octokit/types@^12.0.0":
+  version "12.0.0"
+  resolved "https://registry.yarnpkg.com/@octokit/types/-/types-12.0.0.tgz#6b34309288b6f5ac9761d2589e3165cde1b95fee"
+  integrity sha512-EzD434aHTFifGudYAygnFlS1Tl6KhbTynEWELQXIbTY8Msvb5nEqTZIm7sbPEt4mQYLZwu3zPKVdeIrw0g7ovg==
+  dependencies:
+    "@octokit/openapi-types" "^19.0.0"
 
 "@octokit/types@^5.0.0", "@octokit/types@^5.0.1":
   version "5.4.1"