Write secrets to temporary files

pdabelf5 · pdabelf5 · commit af6a0c822cdd · 2025-11-10T12:16:05.000Z
diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
@@ -138,26 +138,8 @@ jobs:
           echo "Setting secrets for job"
           PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
           echo "::add-mask::$PLUS_CREDS"
-          IFS=@ cert=$(echo $PLUS_CREDS | jq -r '.crt')
-          {
-            echo 'PLUS_CERT<<EOF'
-            echo $cert
-            echo 'EOF'
-          } >> "$GITHUB_OUTPUT"
-          while read -r line;
-          do
-            echo "::add-mask::${line}"
-          done <<< "${PLUS_CERT}"
-          IFS=@ key=$(echo $PLUS_CREDS | jq -r '.key')
-          {
-            echo 'PLUS_KEY<<EOF'
-            echo $key
-            echo 'EOF'
-          } >> "$GITHUB_OUTPUT"
-          while read -r line;
-          do
-            echo "::add-mask::${line}"
-          done <<< "${PLUS_KEY}"
+          echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt
+          echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key
 
       - name: Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -208,9 +190,14 @@ jobs:
           build-args: |
             BUILD_OS=${{ matrix.image }}
             IC_VERSION=${{ needs.checks.outputs.ic_version }}
-          secrets: |
-            "nginx-repo.crt=${{ steps.secrets.outputs.PLUS_CERT }}"
-            "nginx-repo.key=${{ steps.secrets.outputs.PLUS_KEY }}"
+          secret-files: |
+            "nginx-repo.crt=nginx-repo.crt"
+            "nginx-repo.key=nginx-repo.key"
+
+      - name: Clean up secrets
+        run: |
+          rm -f nginx-repo.crt nginx-repo.key
+        if: always()
 
   build-plus-nap:
     name: Build Plus NAP base images
