From 8e6d0077cbe7796305a9e340981bdcf0b5bfcfb5 Mon Sep 17 00:00:00 2001
From: ZuhairM7 <ZuhairM7>
Date: Mon, 24 Nov 2025 23:18:11 -0600
Subject: [PATCH] bindings: fix handling of env secrets in remote builds

Previously, using --secret=id=foo,env=BAR in remote mode would fail because the client sent the env var name to the server, which tried to resolve it locally. This patch modifies the client to resolve the environment variable locally, write it to a temp file, and send it as a file-based secret.

Fixes #27494

Signed-off-by: ZuhairM7 <ZuhairM7>
---
 pkg/bindings/images/build.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go
index ed64366d303..ac389ca0e37 100644
--- a/pkg/bindings/images/build.go
+++ b/pkg/bindings/images/build.go
@@ -637,6 +637,20 @@ func prepareSecrets(secrets []string, contextDir string, tempManager *remote_bui
 					// add tmp file to context dir
 					tarContent = append(tarContent, tmpSecretFilePath)
 
+					modifiedSrc := fmt.Sprintf("src=%s", filepath.Base(tmpSecretFilePath))
+					modifiedOpt = append(modifiedOpt, modifiedSrc)
+				}  else if opt == "env" {
+					// read specified env into a tmp file
+					// move tmp file to tar and change secret source to relative tmp file
+					secretVal := os.Getenv(val)
+					tmpSecretFilePath, err := tempManager.CreateTempFileFromReader(contextDir, "podman-build-secret-*", strings.NewReader(secretVal))
+					if err != nil {
+						return nil, nil, err
+					}
+
+					// add tmp file to context dir
+					tarContent = append(tarContent, tmpSecretFilePath)
+
 					modifiedSrc := fmt.Sprintf("src=%s", filepath.Base(tmpSecretFilePath))
 					modifiedOpt = append(modifiedOpt, modifiedSrc)
 				} else {