feat: add secret-envs input

Signed-off-by: Elias Lundgren <145569914+elias-lundgren@users.noreply.github.com>
This commit is contained in:
Elias Lundgren 2023-09-26 16:34:10 +02:00
parent 4c1b68d83a
commit 5f01267817
No known key found for this signature in database
7 changed files with 161 additions and 23 deletions

@ -393,6 +393,31 @@ jobs:
MYSECRET=foo MYSECRET=foo
INVALID_SECRET= INVALID_SECRET=
secret-env:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build
uses: ./
env:
ENV_SECRET: foo
with:
context: .
file: ./test/secret.Dockerfile
secret-envs: |
MYSECRET=ENV_SECRET
INVALID_SECRET=
network: network:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

@ -238,6 +238,7 @@ Following inputs can be used as `step.with` keys
| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) | | `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) |
| `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) | | `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) |
| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) | | `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) |
| `secret-envs` | List/CSV | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build using environment variables (e.g., MY_SECRET=MY_ENV_VAR) |
| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) | | `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) |
| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) | | `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) |
| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build | | `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build |

@ -619,6 +619,49 @@ nproc=3`],
'.' '.'
] ]
], ],
[
25,
'0.10.0',
new Map<string, string>([
['context', '.'],
['no-cache', 'false'],
['load', 'true'],
['push', 'false'],
['pull', 'false'],
['secret-envs', `MY_SECRET=MY_SECRET_ENV
ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
]),
[
'build',
'--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
'--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
'--iidfile', path.join(tmpDir, 'iidfile'),
'--load',
'--metadata-file', path.join(tmpDir, 'metadata-file'),
'.'
]
],
[
26,
'0.10.0',
new Map<string, string>([
['context', '.'],
['no-cache', 'false'],
['load', 'true'],
['push', 'false'],
['pull', 'false'],
['secret-envs', 'MY_SECRET=MY_SECRET_ENV,ANOTHER_SECRET=ANOTHER_SECRET_ENV']
]),
[
'build',
'--secret', 'id=MY_SECRET,env=MY_SECRET_ENV',
'--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV',
'--iidfile', path.join(tmpDir, 'iidfile'),
'--load',
'--metadata-file', path.join(tmpDir, 'metadata-file'),
'.'
]
],
])( ])(
'[%d] given %p with %p as inputs, returns %p', '[%d] given %p with %p as inputs, returns %p',
async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => { async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {

@ -80,6 +80,9 @@ inputs:
secrets: secrets:
description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)" description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
required: false required: false
secret-envs:
description: "List of secrets to expose to the build using environment variables (e.g., MY_SECRET=MY_ENV_VAR)"
required: false
secret-files: secret-files:
description: "List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)" description: "List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)"
required: false required: false

@ -27,7 +27,7 @@
"license": "Apache-2.0", "license": "Apache-2.0",
"dependencies": { "dependencies": {
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@docker/actions-toolkit": "^0.12.0", "@docker/actions-toolkit": "0.13.0-rc.1",
"handlebars": "^4.7.7" "handlebars": "^4.7.7"
}, },
"devDependencies": { "devDependencies": {

@ -30,6 +30,7 @@ export interface Inputs {
push: boolean; push: boolean;
sbom: string; sbom: string;
secrets: string[]; secrets: string[];
secretEnvs: string[];
secretFiles: string[]; secretFiles: string[];
shmSize: string; shmSize: string;
ssh: string[]; ssh: string[];
@ -64,6 +65,7 @@ export async function getInputs(): Promise<Inputs> {
push: core.getBooleanInput('push'), push: core.getBooleanInput('push'),
sbom: core.getInput('sbom'), sbom: core.getInput('sbom'),
secrets: Util.getInputList('secrets', {ignoreComma: true}), secrets: Util.getInputList('secrets', {ignoreComma: true}),
secretEnvs: Util.getInputList('secret-envs'),
secretFiles: Util.getInputList('secret-files', {ignoreComma: true}), secretFiles: Util.getInputList('secret-files', {ignoreComma: true}),
shmSize: core.getInput('shm-size'), shmSize: core.getInput('shm-size'),
ssh: Util.getInputList('ssh'), ssh: Util.getInputList('ssh'),
@ -116,6 +118,13 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
if (inputs.cgroupParent) { if (inputs.cgroupParent) {
args.push('--cgroup-parent', inputs.cgroupParent); args.push('--cgroup-parent', inputs.cgroupParent);
} }
await Util.asyncForEach(inputs.secretEnvs, async secretEnv => {
try {
args.push('--secret', BuildxInputs.resolveBuildSecretEnv(secretEnv));
} catch (err) {
core.warning(err.message);
}
});
if (inputs.file) { if (inputs.file) {
args.push('--file', inputs.file); args.push('--file', inputs.file);
} }

101
yarn.lock

@ -731,19 +731,20 @@
dependencies: dependencies:
"@jridgewell/trace-mapping" "0.3.9" "@jridgewell/trace-mapping" "0.3.9"
"@docker/actions-toolkit@^0.12.0": "@docker/actions-toolkit@0.13.0-rc.1":
version "0.12.0" version "0.13.0-rc.1"
resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.12.0.tgz#aa0ba45ac278234171a12637779b8e2687f25edc" resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.13.0-rc.1.tgz#98085dcc1467c0e18f9e1104f81687ffa8b6cd15"
integrity sha512-yHhXt1te5AWZsmuIUcoAv5fH4kQ2huiLpdkm0pXUHY6GJrVDfClEE5nc6BXWSBDTZIbrKBTkbCjEnK6euWr65g== integrity sha512-vdHaxguKszNPDnaAW8kpvKPgmwzf3cmCnBKBT7x9mYedhhYvRmZn17MwD31n5BRrtASktSXUj4S5eVxa532klw==
dependencies: dependencies:
"@actions/cache" "^3.2.2" "@actions/cache" "^3.2.2"
"@actions/core" "^1.10.0" "@actions/core" "^1.10.1"
"@actions/exec" "^1.1.1" "@actions/exec" "^1.1.1"
"@actions/github" "^5.1.1" "@actions/github" "^5.1.1"
"@actions/http-client" "^2.1.1" "@actions/http-client" "^2.1.1"
"@actions/io" "^1.1.3" "@actions/io" "^1.1.3"
"@actions/tool-cache" "^2.0.1" "@actions/tool-cache" "^2.0.1"
"@octokit/plugin-rest-endpoint-methods" "^7.2.3" "@octokit/core" "^5.0.1"
"@octokit/plugin-rest-endpoint-methods" "^10.0.0"
async-retry "^1.3.3" async-retry "^1.3.3"
csv-parse "^5.5.0" csv-parse "^5.5.0"
handlebars "^4.7.8" handlebars "^4.7.8"
@ -1134,6 +1135,11 @@
dependencies: dependencies:
"@octokit/types" "^6.0.3" "@octokit/types" "^6.0.3"
"@octokit/auth-token@^4.0.0":
version "4.0.0"
resolved "https://registry.yarnpkg.com/@octokit/auth-token/-/auth-token-4.0.0.tgz#40d203ea827b9f17f42a29c6afb93b7745ef80c7"
integrity sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA==
"@octokit/core@^3.6.0": "@octokit/core@^3.6.0":
version "3.6.0" version "3.6.0"
resolved "https://registry.yarnpkg.com/@octokit/core/-/core-3.6.0.tgz#3376cb9f3008d9b3d110370d90e0a1fcd5fe6085" resolved "https://registry.yarnpkg.com/@octokit/core/-/core-3.6.0.tgz#3376cb9f3008d9b3d110370d90e0a1fcd5fe6085"
@ -1147,6 +1153,19 @@
before-after-hook "^2.2.0" before-after-hook "^2.2.0"
universal-user-agent "^6.0.0" universal-user-agent "^6.0.0"
"@octokit/core@^5.0.1":
version "5.0.1"
resolved "https://registry.yarnpkg.com/@octokit/core/-/core-5.0.1.tgz#865da2b30d54354cccb6e30861ddfa0e24494780"
integrity sha512-lyeeeZyESFo+ffI801SaBKmCfsvarO+dgV8/0gD8u1d87clbEdWsP5yC+dSj3zLhb2eIf5SJrn6vDz9AheETHw==
dependencies:
"@octokit/auth-token" "^4.0.0"
"@octokit/graphql" "^7.0.0"
"@octokit/request" "^8.0.2"
"@octokit/request-error" "^5.0.0"
"@octokit/types" "^12.0.0"
before-after-hook "^2.2.0"
universal-user-agent "^6.0.0"
"@octokit/endpoint@^6.0.1": "@octokit/endpoint@^6.0.1":
version "6.0.5" version "6.0.5"
resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-6.0.5.tgz#43a6adee813c5ffd2f719e20cfd14a1fee7c193a" resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-6.0.5.tgz#43a6adee813c5ffd2f719e20cfd14a1fee7c193a"
@ -1156,6 +1175,15 @@
is-plain-object "^4.0.0" is-plain-object "^4.0.0"
universal-user-agent "^6.0.0" universal-user-agent "^6.0.0"
"@octokit/endpoint@^9.0.0":
version "9.0.1"
resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-9.0.1.tgz#c3f69d27accddcb04a3199fcef541804288149d2"
integrity sha512-hRlOKAovtINHQPYHZlfyFwaM8OyetxeoC81lAkBy34uLb8exrZB50SQdeW3EROqiY9G9yxQTpp5OHTV54QD+vA==
dependencies:
"@octokit/types" "^12.0.0"
is-plain-object "^5.0.0"
universal-user-agent "^6.0.0"
"@octokit/graphql@^4.5.8": "@octokit/graphql@^4.5.8":
version "4.6.1" version "4.6.1"
resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-4.6.1.tgz#f975486a46c94b7dbe58a0ca751935edc7e32cc9" resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-4.6.1.tgz#f975486a46c94b7dbe58a0ca751935edc7e32cc9"
@ -1165,15 +1193,24 @@
"@octokit/types" "^6.0.3" "@octokit/types" "^6.0.3"
universal-user-agent "^6.0.0" universal-user-agent "^6.0.0"
"@octokit/graphql@^7.0.0":
version "7.0.2"
resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-7.0.2.tgz#3df14b9968192f9060d94ed9e3aa9780a76e7f99"
integrity sha512-OJ2iGMtj5Tg3s6RaXH22cJcxXRi7Y3EBqbHTBRq+PQAqfaS8f/236fUrWhfSn8P4jovyzqucxme7/vWSSZBX2Q==
dependencies:
"@octokit/request" "^8.0.1"
"@octokit/types" "^12.0.0"
universal-user-agent "^6.0.0"
"@octokit/openapi-types@^11.2.0": "@octokit/openapi-types@^11.2.0":
version "11.2.0" version "11.2.0"
resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-11.2.0.tgz#b38d7fc3736d52a1e96b230c1ccd4a58a2f400a6" resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-11.2.0.tgz#b38d7fc3736d52a1e96b230c1ccd4a58a2f400a6"
integrity sha512-PBsVO+15KSlGmiI8QAzaqvsNlZlrDlyAJYcrXBCvVUxCp7VnXjkwPoFHgjEJXx3WF9BAwkA6nfCUA7i9sODzKA== integrity sha512-PBsVO+15KSlGmiI8QAzaqvsNlZlrDlyAJYcrXBCvVUxCp7VnXjkwPoFHgjEJXx3WF9BAwkA6nfCUA7i9sODzKA==
"@octokit/openapi-types@^18.0.0": "@octokit/openapi-types@^19.0.0":
version "18.0.0" version "19.0.0"
resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-18.0.0.tgz#f43d765b3c7533fd6fb88f3f25df079c24fccf69" resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-19.0.0.tgz#0101bf62ab14c1946149a0f8385440963e1253c4"
integrity sha512-V8GImKs3TeQRxRtXFpG2wl19V7444NIOTDF24AWuIbmNaNYOQMWRbjcGDXV5B+0n887fgDcuMNOmlul+k+oJtw== integrity sha512-PclQ6JGMTE9iUStpzMkwLCISFn/wDeRjkZFIKALpvJQNBGwDoYYi2fFvuHwssoQ1rXI5mfh6jgTgWuddeUzfWw==
"@octokit/openapi-types@^7.0.0": "@octokit/openapi-types@^7.0.0":
version "7.0.0" version "7.0.0"
@ -1187,6 +1224,13 @@
dependencies: dependencies:
"@octokit/types" "^6.34.0" "@octokit/types" "^6.34.0"
"@octokit/plugin-rest-endpoint-methods@^10.0.0":
version "10.0.0"
resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-10.0.0.tgz#040b36d6a15d4c7c534b0f44050051225f884cae"
integrity sha512-16VkwE2v6rXU+/gBsYC62M8lKWOphY5Lg4wpjYnVE9Zbu0J6IwiT5kILoj1YOB53XLmcJR+Nqp8DmifOPY4H3g==
dependencies:
"@octokit/types" "^12.0.0"
"@octokit/plugin-rest-endpoint-methods@^5.13.0": "@octokit/plugin-rest-endpoint-methods@^5.13.0":
version "5.13.0" version "5.13.0"
resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.13.0.tgz#8c46109021a3412233f6f50d28786f8e552427ba" resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.13.0.tgz#8c46109021a3412233f6f50d28786f8e552427ba"
@ -1195,13 +1239,6 @@
"@octokit/types" "^6.34.0" "@octokit/types" "^6.34.0"
deprecation "^2.3.1" deprecation "^2.3.1"
"@octokit/plugin-rest-endpoint-methods@^7.2.3":
version "7.2.3"
resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-7.2.3.tgz#37a84b171a6cb6658816c82c4082ac3512021797"
integrity sha512-I5Gml6kTAkzVlN7KCtjOM+Ruwe/rQppp0QU372K1GP7kNOYEKe8Xn5BW4sE62JAHdwpq95OQK/qGNyKQMUzVgA==
dependencies:
"@octokit/types" "^10.0.0"
"@octokit/request-error@^2.0.0": "@octokit/request-error@^2.0.0":
version "2.0.2" version "2.0.2"
resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-2.0.2.tgz#0e76b83f5d8fdda1db99027ea5f617c2e6ba9ed0" resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-2.0.2.tgz#0e76b83f5d8fdda1db99027ea5f617c2e6ba9ed0"
@ -1229,6 +1266,15 @@
deprecation "^2.0.0" deprecation "^2.0.0"
once "^1.4.0" once "^1.4.0"
"@octokit/request-error@^5.0.0":
version "5.0.1"
resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-5.0.1.tgz#277e3ce3b540b41525e07ba24c5ef5e868a72db9"
integrity sha512-X7pnyTMV7MgtGmiXBwmO6M5kIPrntOXdyKZLigNfQWSEQzVxR4a4vo49vJjTWX70mPndj8KhfT4Dx+2Ng3vnBQ==
dependencies:
"@octokit/types" "^12.0.0"
deprecation "^2.0.0"
once "^1.4.0"
"@octokit/request@^5.3.0": "@octokit/request@^5.3.0":
version "5.4.7" version "5.4.7"
resolved "https://registry.yarnpkg.com/@octokit/request/-/request-5.4.7.tgz#fd703ee092e0463ceba49ff7a3e61cb4cf8a0fde" resolved "https://registry.yarnpkg.com/@octokit/request/-/request-5.4.7.tgz#fd703ee092e0463ceba49ff7a3e61cb4cf8a0fde"
@ -1255,12 +1301,23 @@
node-fetch "^2.6.7" node-fetch "^2.6.7"
universal-user-agent "^6.0.0" universal-user-agent "^6.0.0"
"@octokit/types@^10.0.0": "@octokit/request@^8.0.1", "@octokit/request@^8.0.2":
version "10.0.0" version "8.1.3"
resolved "https://registry.yarnpkg.com/@octokit/types/-/types-10.0.0.tgz#7ee19c464ea4ada306c43f1a45d444000f419a4a" resolved "https://registry.yarnpkg.com/@octokit/request/-/request-8.1.3.tgz#03d7fb9b5fe8b800cd5c10d008f99ac02f27e8b4"
integrity sha512-Vm8IddVmhCgU1fxC1eyinpwqzXPEYu0NrYzD3YZjlGjyftdLBTeqNblRC0jmJmgxbJIsQlyogVeGnrNaaMVzIg== integrity sha512-iUvXP4QmysS8kyE/a4AGwR0A+tHDVxgW6TmPd2ci8/Xc8KjlBtTKSDpZlUT5Y4S4Nu+eM8LvbOYjVAp/sz3Gpg==
dependencies: dependencies:
"@octokit/openapi-types" "^18.0.0" "@octokit/endpoint" "^9.0.0"
"@octokit/request-error" "^5.0.0"
"@octokit/types" "^12.0.0"
is-plain-object "^5.0.0"
universal-user-agent "^6.0.0"
"@octokit/types@^12.0.0":
version "12.0.0"
resolved "https://registry.yarnpkg.com/@octokit/types/-/types-12.0.0.tgz#6b34309288b6f5ac9761d2589e3165cde1b95fee"
integrity sha512-EzD434aHTFifGudYAygnFlS1Tl6KhbTynEWELQXIbTY8Msvb5nEqTZIm7sbPEt4mQYLZwu3zPKVdeIrw0g7ovg==
dependencies:
"@octokit/openapi-types" "^19.0.0"
"@octokit/types@^5.0.0", "@octokit/types@^5.0.1": "@octokit/types@^5.0.0", "@octokit/types@^5.0.1":
version "5.4.1" version "5.4.1"