Skip to content

Commit 5e99595

Browse files
neilimeneilime
committed
feat(docker/build-image): support secret-envs
Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
1 parent c17227b commit 5e99595

File tree

5 files changed

+93
-29
lines changed

5 files changed

+93
-29
lines changed

.github/workflows/__test-workflow-docker-build-images.yml

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,27 +28,43 @@ jobs:
2828
uses: ./.github/workflows/docker-build-images.yml
2929
secrets:
3030
oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
31+
build-secrets: |
32+
SECRET_ACTION=${{ github.action }}
33+
SECRET_ACTION_REPOSITORY=${{ github.action_repository }}
3134
with:
32-
# First image is multi arch, multi build-args
33-
# Second image is mono arch, single build-args
35+
# First image is multi arch
36+
# Second image is mono arch
37+
# Third image tests build args, secrets
3438
images: |
3539
[
3640
{
3741
"name": "application-multi-arch",
3842
"context": ".",
3943
"dockerfile": "./tests/application/Dockerfile",
40-
"build-args": { "PROD_MODE": "true", "BUILD_ID": "${{ github.run_id }}" },
44+
"build-args": { "BUILD_ACTION": "${{ github.action }}" },
4145
"target": "prod",
4246
"platforms": ["linux/amd64","linux/arm64","linux/arm/v7"]
4347
},
4448
{
4549
"name": "application-mono-arch",
4650
"context": ".",
4751
"dockerfile": "./tests/application/Dockerfile",
48-
"build-args": { "PROD_MODE": "true" },
52+
"build-args": { "BUILD_ACTION": "${{ github.action }}" },
4953
"target": "prod",
5054
"platforms": ["linux/amd64"],
5155
"tag": "0.1.0"
56+
},
57+
{
58+
"name": "application-test",
59+
"context": ".",
60+
"target": "test",
61+
"dockerfile": "./tests/application/Dockerfile",
62+
"platforms": ["linux/amd64"],
63+
"build-args": { "BUILD_ACTION": "${{ github.action }}", "BUILD_ACTION_REPOSITORY": "${{ github.action_repository }}" },
64+
"secret-envs": {
65+
"SECRET_ENV_ACTION": "GITHUB_ACTION",
66+
"SECRET_ENV_ACTION_REPOSITORY": "GITHUB_ACTION_REPOSITORY"
67+
}
5268
}
5369
]
5470

.github/workflows/docker-build-images.md

Lines changed: 33 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -64,20 +64,29 @@ jobs:
6464
# Default: "${{ github.repository_owner }}"
6565
oci-registry-username: ""
6666

67-
# Images to build parameters. Json array of objects.
68-
# Example: [{
69-
# "name": "application",
70-
# "dockerfile": "./docker/application/Dockerfile",
71-
# "build-args": { "APP_PATH": "./application/", "PROD_MODE": "true" },
72-
# "target": "prod",
73-
# "platforms": [
67+
# Images to build parameters. Json array of objects.
68+
# Example: [
69+
# {
70+
# "name": "application",
71+
# "context": ".",
72+
# "dockerfile": "./docker/application/Dockerfile",
73+
# "target": "prod",
74+
# "build-args": {
75+
# "APP_PATH": "./application/",
76+
# "PROD_MODE": "true"
77+
# },
78+
# "secret-envs": {
79+
# "GH_TOKEN": "GITHUB_TOKEN"
80+
# },
81+
# "platforms": [
7482
# "linux/amd64",
7583
# {
76-
# "name": "darwin/amd64",
77-
# "runs-on": "macos-latest"
84+
# "name": "darwin/amd64",
85+
# "runs-on": "macos-latest"
7886
# }
79-
# ]
80-
# }]
87+
# ]
88+
# }
89+
# ]
8190
images: ""
8291
```
8392
@@ -86,9 +95,9 @@ jobs:
8695
8796
## Secrets
8897
89-
| **Secret** | **Description** |
90-
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
91-
| **<code>oci-registry-password</code>** | Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See <https://github.com/docker/login-action#usage>. |
98+
| **Secret** | **Description** |
99+
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
100+
| **<code>oci-registry-password</code>** | Password or GitHub token (`packages:read` and `packages:write` scopes) used to log against the OCI registry. See <https://github.com/docker/login-action#usage>. |
92101

93102
<!-- end secrets -->
94103
<!-- start inputs -->
@@ -108,15 +117,16 @@ jobs:
108117

109118
### Images entry parameters
110119

111-
| **Parameter** | **Description** | **Default** | **Required** |
112-
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | ------------ |
113-
| **<code>name</code>** | Image name. Must be unique. It is used as `image` in [Docker build-image action](../../actions/docker/build-image/README.md) | | **true** |
114-
| **<code>repository</code>** | Repository name. See [Docker build-image action](../../actions/docker/build-image/README.md) | | **false** |
115-
| **<code>context</code>** | Build context. See [Docker build-image action](../../actions/docker/build-image/README.md) | <code>.</code> | **false** |
116-
| **<code>dockerfile</code>** | Location of Dockerfile. See [Docker build-image action](../../actions/docker/build-image/README.md) | <code>Dockerfile</code> | **false** |
117-
| **<code>build-args</code>** | List of build-time variables. See [Docker build-image action](../../actions/docker/build-image/README.md) | | **false** |
118-
| **<code>target</code>** | Sets the target stage to build. See [Docker build-image action](../../actions/docker/build-image/README.md) | | **true** |
119-
| **<code>platforms</code>** | List of platforms to build for. It is used as `platform` in [Docker build-image action](../../actions/docker/build-image/README.md). Can be a string (Example: `linux/amd64`) or an object (Example: `{"name": "darwin/amd64","runs-on": "macos-latest"}`) | | **true** |
120+
| **Parameter** | **Description** | **Default** | **Required** |
121+
| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | ------------ |
122+
| **<code>name</code>** | Image name. Must be unique. It is used as `image` in [Docker build-image action](../../actions/docker/build-image/README.md) | | **true** |
123+
| **<code>repository</code>** | Repository name. See [Docker build-image action](../../actions/docker/build-image/README.md) | | **false** |
124+
| **<code>context</code>** | Build context. See [Docker build-image action](../../actions/docker/build-image/README.md) | <code>.</code> | **false** |
125+
| **<code>dockerfile</code>** | Location of Dockerfile. See [Docker build-image action](../../actions/docker/build-image/README.md) | <code>Dockerfile</code> | **false** |
126+
| **<code>target</code>** | Sets the target stage to build. See [Docker build-image action](../../actions/docker/build-image/README.md) | | **true** |
127+
| **<code>build-args</code>** | List of build-time variables. See [Docker build-image action](../../actions/docker/build-image/README.md) | | **false** |
128+
| **<code>secret-envs</code>** | List of secret environment variables to expose to the build. See [Docker build-image action](../../actions/docker/build-image/README.md) | | **false** |
129+
| **<code>platforms</code>** | List of platforms to build for. It is used as `platform` in [Docker build-image action](../../actions/docker/build-image/README.md). Can be a string (Example: `linux/amd64`) or an object (Example: `{"name": "darwin/amd64","runs-on": "macos-latest"}`) | | **true** |
120130

121131
#### Platforms entry parameters
122132

.github/workflows/docker-build-images.yml

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,11 +60,14 @@ on: # yamllint disable-line rule:truthy
6060
"name": "application",
6161
"context": ".",
6262
"dockerfile": "./docker/application/Dockerfile",
63+
"target": "prod",
6364
"build-args": {
6465
"APP_PATH": "./application/",
6566
"PROD_MODE": "true"
6667
},
67-
"target": "prod",
68+
"secret-envs": {
69+
"GH_TOKEN": "GITHUB_TOKEN"
70+
},
6871
"platforms": [
6972
"linux/amd64",
7073
{
@@ -174,6 +177,14 @@ jobs:
174177
image['build-args'] = buildArgs;
175178
}
176179
180+
// Format secret-envs object to string
181+
if (image['secret-envs']) {
182+
const secretEnvs = Object.keys(image['secret-envs'])
183+
.map(key => `${key}=${image['secret-envs'][key]}`)
184+
.join('\n');
185+
image['secret-envs'] = secretEnvs;
186+
}
187+
177188
// Set default repository
178189
if (!image['repository']) {
179190
image['repository'] = `${{ github.repository }}`;
@@ -325,6 +336,7 @@ jobs:
325336
build-args: ${{ matrix.image.build-args }}
326337
target: ${{ matrix.image.target }}
327338
platform: ${{ matrix.image.platform }}
339+
secret-envs: ${{ matrix.image.secret-envs }}
328340
secrets: ${{ secrets.build-secrets }}
329341

330342
# FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix

actions/docker/build-image/action.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,11 @@ inputs:
9898
List of secrets to expose to the build.
9999
See <https://docs.docker.com/build/ci/github-actions/secrets/>.
100100
required: false
101+
secret-envs:
102+
description: |
103+
List of secret environment variables to expose to the build (e.g., key=envname, MY_SECRET=MY_ENV_VAR).
104+
See <https://docs.docker.com/build/ci/github-actions/secrets/>.
105+
required: false
101106

102107
runs:
103108
using: "composite"
@@ -218,6 +223,7 @@ runs:
218223
target: ${{ inputs.target }}
219224
file: ${{ github.workspace }}/${{ inputs.context }}/${{ inputs.dockerfile }}
220225
secrets: ${{ inputs.secrets }}
226+
secret-envs: ${{ inputs.secret-envs }}
221227
platforms: ${{ inputs.platform }}
222228
cache-from: ${{ steps.cache.outputs.cache-from }}
223229
cache-to: ${{ steps.cache.outputs.cache-to }}

tests/application/Dockerfile

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,24 @@ HEALTHCHECK --interval=5s --timeout=3s --retries=3 CMD ["/healthcheck"]
44

55
USER test
66

7-
FROM base AS prod
7+
FROM base AS prod
8+
9+
FROM prod AS test
10+
11+
ENV EXPECTED_ACTION=test
12+
ENV EXPECTED_ACTION_REPOSITORY=hoverkraft-tech/ci-github-container
13+
14+
# Test that the build args are set
15+
ARG BUILD_ACTION
16+
RUN test -n "$BUILD_ACTION" && test "$BUILD_ACTION" = "$EXPECTED_ACTION"
17+
18+
ARG BUILD_ACTION_REPOSITORY
19+
RUN test -n "$BUILD_ACTION_REPOSITORY" && test "$BUILD_ACTION_REPOSITORY" = "$EXPECTED_ACTION_REPOSITORY"
20+
21+
# Test that secrets are passed
22+
RUN --mount=type=secret,id=SECRET_ACTION test -f /run/secrets/SECRET_ACTION && test "$(cat /run/secrets/SECRET_ACTION)" = "$EXPECTED_ACTION"
23+
RUN --mount=type=secret,id=SECRET_ACTION_REPOSITORY test -f /run/secrets/SECRET_ACTION_REPOSITORY && test "$(cat /run/secrets/SECRET_ACTION_REPOSITORY)" = "$EXPECTED_ACTION_REPOSITORY"
24+
25+
# Test that secret envs are passed
26+
RUN --mount=type=secret,id=SECRET_ENV_ACTION test -f /run/secrets/SECRET_ENV_ACTION && test "$(cat /run/secrets/SECRET_ACTION)" = "$EXPECTED_ACTION"
27+
RUN --mount=type=secret,id=SECRET_ENV_ACTION_REPOSITORY test -f /run/secrets/SECRET_ENV_ACTION_REPOSITORY && test "$(cat /run/secrets/SECRET_ACTION_REPOSITORY)" = "$EXPECTED_ACTION_REPOSITORY"

0 commit comments

Comments
 (0)