Support secrets for building the cached image

koterpillar · koterpillar · commit d16d4e6876c5 · 2021-06-30T16:11:29.000+10:00
diff --git a/README.md b/README.md
@@ -167,6 +167,37 @@ steps:
       - docker#v3.3.0
 ```
 
+### Specifying secrets
+
+[Build-time variables] can be extracted from a pulled image, so when passing
+sensitive data, [secrets] should be used instead.
+
+[secrets]: https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information
+
+To use environment variables (perhaps fetched by another plugin) as secrets:
+
+```dockerfile
+# syntax=docker/dockerfile:1.2
+
+FROM bash
+
+RUN --mount=type=secret,id=SECRET cat /run/secrets/SECRET
+```
+
+```yaml
+steps:
+  - command: echo amaze
+    env:
+      SECRET: wow
+    plugins:
+      - seek-oss/docker-ecr-cache#v1.9.0:
+          secrets:
+            - SECRET
+      - docker#v3.3.0
+```
+
+You must have a recent version of Docker with BuildKit enabled to use secrets.
+
 ### Changing the max cache time
 
 By default images are kept in ECR for up to 30 days. This can be changed by specifying a `max-age-days` parameter:
diff --git a/hooks/lib/stdlib.bash b/hooks/lib/stdlib.bash
@@ -20,6 +20,14 @@ read_build_args() {
   done
 }
 
+read_secrets() {
+  read_list_property 'SECRETS'
+  for arg in ${result[@]+"${result[@]}"}; do
+    secrets_args+=("--secret")
+    secrets_args+=("id=${arg},env=${arg}")
+  done
+}
+
 # read a plugin property of type [array, string] into a Bash array. Buildkite
 # exposes a string value at BUILDKITE_PLUGIN_{NAME}_{KEY}, and array values at
 # BUILDKITE_PLUGIN_{NAME}_{KEY}_{IDX}.
diff --git a/hooks/pre-command b/hooks/pre-command
@@ -20,6 +20,9 @@ context="${BUILDKITE_PLUGIN_DOCKER_ECR_CACHE_CONTEXT:-"${docker_file_dir}"}"
 build_args=()
 read_build_args
 
+secrets_args=()
+read_secrets
+
 echo "--- Pulling image"
 if ! docker pull "${image}:${tag}"; then
   echo '--- Building image'
@@ -40,6 +43,13 @@ if ! docker pull "${image}:${tag}"; then
       )
     done
   fi
+  if [[ "${#secrets_args[@]}" -gt 0 ]]; then
+    for sa in "${secrets_args[@]}"; do
+      image_build_args+=(
+        "${sa}"
+      )
+    done
+  fi
 
   echo "Inside $(pwd), running \`docker ${image_build_args[*]} ${context}\`"
   # We can't quote BUILDKITE_PLUGIN_DOCKER_ECR_CACHE_ADDITIONAL_BUILD_ARGS, because it's passed here as a string instead of a bash array.
