feat(docker/build-image): support secret-envs

neilime · neilime · commit db03eac85df6 · 2025-02-17T17:09:33.000+01:00
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/workflows/__test-workflow-docker-build-images.yml b/.github/workflows/__test-workflow-docker-build-images.yml
@@ -64,6 +64,10 @@ jobs:
               "BUILD_RUN_ID": "${{ github.run_id }}",
               "BUILD_REPOSITORY_OWNER": "${{ github.repository_owner }}",
               "BUILD_REPOSITORY": "${{ github.repository }}"
+            },
+            "secret-envs": {
+              "SECRET_ENV_REPOSITORY_OWNER": "GITHUB_REPOSITORY_OWNER",
+              "SECRET_ENV_REPOSITORY": "GITHUB_REPOSITORY"
             }
           }
         ]
diff --git a/.github/workflows/docker-build-images.md b/.github/workflows/docker-build-images.md
@@ -75,6 +75,9 @@ jobs:
       #        "APP_PATH": "./application/",
       #        "PROD_MODE": "true"
       #      },
+      #      "secret-envs": {
+      #        "GH_TOKEN": "GITHUB_TOKEN"
+      #      },
       #      "platforms": [
       #        "linux/amd64",
       #        {
@@ -114,15 +117,16 @@ jobs:
 
 ### Images entry parameters
 
-| **Parameter**               | **Description**                                                                                                                                                                                                                                            | **Default**             | **Required** |
-| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | ------------ |
-| **<code>name</code>**       | Image name. Must be unique. It is used as `image` in [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                               |                         | **true**     |
-| **<code>repository</code>** | Repository name. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                               |                         | **false**    |
-| **<code>context</code>**    | Build context. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                                 | <code>.</code>          | **false**    |
-| **<code>dockerfile</code>** | Location of Dockerfile. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                        | <code>Dockerfile</code> | **false**    |
-| **<code>target</code>**     | Sets the target stage to build. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                |                         | **true**     |
-| **<code>build-args</code>** | List of build-time variables. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                  |                         | **false**    |
-| **<code>platforms</code>**  | List of platforms to build for. It is used as `platform` in [Docker build-image action](../../actions/docker/build-image/README.md). Can be a string (Example: `linux/amd64`) or an object (Example: `{"name": "darwin/amd64","runs-on": "macos-latest"}`) |                         | **true**     |
+| **Parameter**                | **Description**                                                                                                                                                                                                                                            | **Default**             | **Required** |
+| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | ------------ |
+| **<code>name</code>**        | Image name. Must be unique. It is used as `image` in [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                               |                         | **true**     |
+| **<code>repository</code>**  | Repository name. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                               |                         | **false**    |
+| **<code>context</code>**     | Build context. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                                 | <code>.</code>          | **false**    |
+| **<code>dockerfile</code>**  | Location of Dockerfile. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                        | <code>Dockerfile</code> | **false**    |
+| **<code>target</code>**      | Sets the target stage to build. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                |                         | **true**     |
+| **<code>build-args</code>**  | List of build-time variables. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                                                  |                         | **false**    |
+| **<code>secret-envs</code>** | List of secret environment variables to expose to the build. See [Docker build-image action](../../actions/docker/build-image/README.md)                                                                                                                   |                         | **false**    |
+| **<code>platforms</code>**   | List of platforms to build for. It is used as `platform` in [Docker build-image action](../../actions/docker/build-image/README.md). Can be a string (Example: `linux/amd64`) or an object (Example: `{"name": "darwin/amd64","runs-on": "macos-latest"}`) |                         | **true**     |
 
 #### Platforms entry parameters
 
diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml
@@ -65,6 +65,9 @@ on: # yamllint disable-line rule:truthy
                 "APP_PATH": "./application/",
                 "PROD_MODE": "true"
               },
+              "secret-envs": {
+                "GH_TOKEN": "GITHUB_TOKEN"
+              },
               "platforms": [
                 "linux/amd64",
                 {
@@ -174,6 +177,14 @@ jobs:
                 image['build-args'] = buildArgs;
               }
 
+              // Format secret-envs object to string
+              if (image['secret-envs']) {
+                const secretEnvs = Object.keys(image['secret-envs'])
+                  .map(key => `${key}=${image['secret-envs'][key]}`)
+                  .join('\n');
+                image['secret-envs'] = secretEnvs;
+              }
+
               // Set default repository
               if (!image['repository']) {
                 image['repository'] = `${{ github.repository }}`;
@@ -325,6 +336,7 @@ jobs:
           build-args: ${{ matrix.image.build-args }}
           target: ${{ matrix.image.target }}
           platform: ${{ matrix.image.platform }}
+          secret-envs: ${{ matrix.image.secret-envs }}
           secrets: ${{ secrets.build-secrets }}
 
       # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix
diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml
@@ -98,6 +98,11 @@ inputs:
       List of secrets to expose to the build.
       See <https://docs.docker.com/build/ci/github-actions/secrets/>.
     required: false
+  secret-envs:
+    description: |
+      List of secret environment variables to expose to the build (e.g., key=envname, MY_SECRET=MY_ENV_VAR).
+      See <https://docs.docker.com/build/ci/github-actions/secrets/>.
+    required: false
 
 runs:
   using: "composite"
@@ -218,6 +223,7 @@ runs:
         target: ${{ inputs.target }}
         file: ${{ github.workspace }}/${{ inputs.context }}/${{ inputs.dockerfile }}
         secrets: ${{ inputs.secrets }}
+        secret-envs: ${{ inputs.secret-envs }}
         platforms: ${{ inputs.platform }}
         cache-from: ${{ steps.cache.outputs.cache-from }}
         cache-to: ${{ steps.cache.outputs.cache-to }}
diff --git a/tests/application/Dockerfile b/tests/application/Dockerfile
@@ -33,4 +33,11 @@ RUN --mount=type=secret,id=SECRET_REPOSITORY_OWNER test "$(cat /run/secrets/SECR
 RUN --mount=type=secret,id=SECRET_REPOSITORY test -f /run/secrets/SECRET_REPOSITORY || (echo "Error: SECRET_REPOSITORY is not set" && exit 1);
 RUN --mount=type=secret,id=SECRET_REPOSITORY test "$(cat /run/secrets/SECRET_REPOSITORY)" = "$EXPECTED_REPOSITORY" || (echo "Error: SECRET_REPOSITORY is not \"$EXPECTED_REPOSITORY\"" && exit 1);
 
+# Test that secret envs are passed
+RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY_OWNER test -f /run/secrets/SECRET_ENV_REPOSITORY_OWNER || (echo "Error: SECRET_ENV_REPOSITORY_OWNER is not set" && exit 1);
+RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY_OWNER test "$(cat /run/secrets/SECRET_ENV_REPOSITORY_OWNER)" = "$EXPECTED_REPOSITORY_OWNER" || (echo "Error: SECRET_ENV_REPOSITORY_OWNER is not \"$EXPECTED_REPOSITORY_OWNER\"" && exit 1);
+
+RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY test -f /run/secrets/SECRET_ENV_REPOSITORY || (echo "Error: SECRET_ENV_REPOSITORY is not set" && exit 1);
+RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY test "$(cat /run/secrets/SECRET_ENV_REPOSITORY)" = "$EXPECTED_REPOSITORY" || (echo "Error: SECRET_ENV_REPOSITORY is not \"$EXPECTED_REPOSITORY\"" && exit 1);
+
 USER test

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,10 @@ jobs:`
`64`	`64`	`"BUILD_RUN_ID": "${{ github.run_id }}",`
`65`	`65`	`"BUILD_REPOSITORY_OWNER": "${{ github.repository_owner }}",`
`66`	`66`	`"BUILD_REPOSITORY": "${{ github.repository }}"`
	`67`	`+ },`
	`68`	`+ "secret-envs": {`
	`69`	`+ "SECRET_ENV_REPOSITORY_OWNER": "GITHUB_REPOSITORY_OWNER",`
	`70`	`+ "SECRET_ENV_REPOSITORY": "GITHUB_REPOSITORY"`
`67`	`71`	`}`
`68`	`72`	`}`
`69`	`73`	`]`