ci: secret job to check for invalid secrets

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2022-10-09 17:39:54 +02:00
parent 871b930e7a
commit 47c00d78bf
No known key found for this signature in database
GPG Key ID: 3248E46B6BB8C7F7
3 changed files with 28 additions and 2 deletions

@ -302,6 +302,29 @@ jobs:
run: | run: |
docker image inspect myimage:latest docker image inspect myimage:latest
secret:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build
uses: ./
with:
context: .
file: ./test/secret.Dockerfile
secrets: |
MYSECRET=foo
INVALID_SECRET=
network: network:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

@ -137,8 +137,7 @@ describe('getSecret', () => {
} }
expect(true).toBe(!invalid); expect(true).toBe(!invalid);
expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`); expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
const secretValue = await fs.readFileSync(tmpNameSync, 'utf-8'); expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
expect(secretValue).toEqual(exValue);
} catch (err) { } catch (err) {
// eslint-disable-next-line jest/no-conditional-expect // eslint-disable-next-line jest/no-conditional-expect
expect(true).toBe(invalid); expect(true).toBe(invalid);

4
test/secret.Dockerfile Normal file

@ -0,0 +1,4 @@
# syntax=docker/dockerfile:1
FROM busybox
RUN --mount=type=secret,id=MYSECRET \
echo "MYSECRET=$(cat /run/secrets/MYSECRET)"