build-push-action/docs/advanced/secrets.md

2.7 KiB

Secrets

In the following example we will expose and use the GITHUB_TOKEN secret as provided by GitHub in your workflow.

First let's create our Dockerfile to use our secret:

#syntax=docker/dockerfile:1.2

FROM alpine
RUN --mount=type=secret,id=github_token \
  cat /run/secrets/github_token

If you need access to the secrets file from a non-root user, you'll need to set the uid in the --mount argument:

#syntax=docker/dockerfile:1.2

FROM alpine

# Create non-root user
RUN addgroup -S newuser && adduser -u 1001 -S -g newuser newuser

# Run everything after as non-privileged user.
USER newuser

RUN --mount=type=secret,uid=1001,id=github_token \
  cat /run/secrets/github_token

As you can see we have named our secret github_token. Here is the workflow you can use to expose this secret using the secrets input:

name: ci

on:
  push:
    branches:
      - 'main'

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      -
        name: Build
        uses: docker/build-push-action@v2
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          tags: user/app:latest
          secrets: |
            "github_token=${{ secrets.GITHUB_TOKEN }}"            

💡 You can also expose a secret file to the build with secret-files input:

secret-files: |
  "MY_SECRET=./secret.txt"  

If you're using GitHub secrets and need to handle multi-line value, you will need to place the key-value pair between quotes:

secrets: |
  "MYSECRET=${{ secrets.GPG_KEY }}"
  GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789
  "MYSECRET=aaaaaaaa
  bbbbbbb
  ccccccccc"
  FOO=bar
  "EMPTYLINE=aaaa
  
  bbbb
  ccc"
  "JSON_SECRET={""key1"":""value1"",""key2"":""value2""}"  
Key Value
MYSECRET ***********************
GIT_AUTH_TOKEN abcdefghi,jklmno=0123456789
MYSECRET aaaaaaaa\nbbbbbbb\nccccccccc
FOO bar
EMPTYLINE aaaa\n\nbbbb\nccc
JSON_SECRET {"key1":"value1","key2":"value2"}

💡 All quote signs need to be doubled for escaping.