Restore secret mount functionality for challenge compatibility

Copilot · commjoen · Copilot · commit 07ec9d9ff9b8 · 2025-09-19T04:28:03.000Z
Co-authored-by: commjoen &lt;1457214+commjoen@users.noreply.github.com&gt;
diff --git a/.github/scripts/docker-create.sh b/.github/scripts/docker-create.sh
@@ -379,10 +379,10 @@ create_containers() {
         docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../.
         docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../.
         cd ../..
-        docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile_webdesktop --push .
-        docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:latest -f Dockerfile_webdesktop --push .
-        docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:$tag -f Dockerfile_webdesktopk8s --push .
-        docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:latest -f Dockerfile_webdesktopk8s --push .
+        docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile_webdesktop --secret id=mysecret,env=SECRET_VALUE --push .
+        docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:latest -f Dockerfile_webdesktop --secret id=mysecret,env=SECRET_VALUE --push .
+        docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:$tag -f Dockerfile_webdesktopk8s --secret id=mysecret,env=SECRET_VALUE --push .
+        docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:latest -f Dockerfile_webdesktopk8s --secret id=mysecret,env=SECRET_VALUE --push .
         cd k8s/challenge53
         cp ../../src/main/resources/executables/wrongsecrets-challenge53-* ./executables
         docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-challenge53:$tag -f Dockerfile --push .
diff --git a/.github/workflows/pr-desktop-containers.yml b/.github/workflows/pr-desktop-containers.yml
@@ -92,6 +92,10 @@ jobs:
             type=ref,event=pr,suffix=-{{sha}}
             type=ref,event=pr
 
+      - name: Create secret file for build
+        run: |
+          echo "wrongsecret-3" > /tmp/mysecret.txt
+
       - name: Build and push Docker image
         id: build
         uses: docker/build-push-action@v6
@@ -104,6 +108,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             argBasedVersion=${{ steps.extract-version.outputs.docker_version }}
+          secrets: |
+            mysecret=/tmp/mysecret.txt
           cache-from: type=gha,scope=${{ matrix.container.name }}-pr
           cache-to: type=gha,mode=max,scope=${{ matrix.container.name }}-pr
 
diff --git a/Dockerfile_webdesktop b/Dockerfile_webdesktop
@@ -32,6 +32,15 @@ RUN \
 
 WORKDIR /config/Desktop
 
+# Add secret handling for challenge functionality
+# Create the /app directory to store the secret
+RUN mkdir -p /app
+
+# Use a separate RUN command for --mount
+RUN --mount=type=secret,id=mysecret \
+    export SECRET_VALUE=$(cat /run/secrets/mysecret) && \
+    echo $SECRET_VALUE >> /app/secret.txt
+
 # Create directories for copied files
 RUN mkdir -p /var/tmp/wrongsecrets /var/tmp/wrongsecrets/decrypt
 
diff --git a/Dockerfile_webdesktopk8s b/Dockerfile_webdesktopk8s
@@ -37,6 +37,15 @@ RUN \
 
 WORKDIR /config/Desktop
 
+# Add secret handling for challenge functionality
+# Create the /app directory to store the secret
+RUN mkdir -p /app
+
+# Use a separate RUN command for --mount
+RUN --mount=type=secret,id=mysecret \
+    export SECRET_VALUE=$(cat /run/secrets/mysecret) && \
+    echo $SECRET_VALUE >> /app/secret.txt
+
 # Create directories for copied files
 RUN mkdir -p /var/tmp/wrongsecrets /var/tmp/wrongsecrets/decrypt
 
