diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62ef229..b3ebd3e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -393,6 +393,31 @@ jobs: MYSECRET=foo INVALID_SECRET= + env-secret: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v4 + - + name: Set up Docker buildx + uses: docker/setup-buildx-action@v3 + with: + version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} + driver-opts: | + image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} + - + name: Build + uses: ./ + env: + ENV_SECRET: foo + with: + context: . + file: ./test/secret.Dockerfile + env-secrets: | + MYSECRET=ENV_SECRET + INVALID_SECRET= + network: runs-on: ubuntu-latest steps: diff --git a/README.md b/README.md index b6f011b..375a561 100644 --- a/README.md +++ b/README.md @@ -213,38 +213,39 @@ Following inputs can be used as `step.with` keys > tags: name/app:latest,name/app:1.0.0 > ``` -| Name | Type | Description | -|--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) | -| `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) | -| `attests` | List | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`) | -| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) | -| `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) | -| `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) | -| `cache-from` | List | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`) | -| `cache-to` | List | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`) | -| `cgroup-parent` | String | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build | -| `context` | String | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) | -| `file` | String | Path to the Dockerfile. (default `{context}/Dockerfile`) | -| `labels` | List | List of metadata for an image | -| `load` | Bool | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`) | -| `network` | String | Set the networking mode for the `RUN` instructions during build | -| `no-cache` | Bool | Do not use cache when building the image (default `false`) | -| `no-cache-filters` | List/CSV | Do not cache specified stages | -| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) | -| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build | -| `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) | -| `pull` | Bool | Always attempt to pull all referenced images (default `false`) | -| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) | -| `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) | -| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) | -| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) | -| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) | -| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build | -| `tags` | List/CSV | List of tags | -| `target` | String | Sets the target stage to build | -| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) | -| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) | +| Name | Type | Description | +|--------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `add-hosts` | List/CSV | List of [customs host-to-IP mapping](https://docs.docker.com/engine/reference/commandline/build/#add-entries-to-container-hosts-file---add-host) (e.g., `docker:10.180.0.1`) | +| `allow` | List/CSV | List of [extra privileged entitlement](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow) (e.g., `network.host,security.insecure`) | +| `attests` | List | List of [attestation](https://docs.docker.com/build/attestations/) parameters (e.g., `type=sbom,generator=image`) | +| `builder` | String | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action) | +| `build-args` | List | List of [build-time variables](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg) | +| `build-contexts` | List | List of additional [build contexts](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context) (e.g., `name=path`) | +| `cache-from` | List | List of [external cache sources](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from) (e.g., `type=local,src=path/to/dir`) | +| `cache-to` | List | List of [cache export destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to) (e.g., `type=local,dest=path/to/dir`) | +| `cgroup-parent` | String | Optional [parent cgroup](https://docs.docker.com/engine/reference/commandline/build/#use-a-custom-parent-cgroup---cgroup-parent) for the container used in the build | +| `context` | String | Build's context is the set of files located in the specified [`PATH` or `URL`](https://docs.docker.com/engine/reference/commandline/build/) (default [Git context](#git-context)) | +| `env-secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build using environment variables from the GitHub runner (e.g., MY_SECRET=MY_ENV_VAR) | +| `file` | String | Path to the Dockerfile. (default `{context}/Dockerfile`) | +| `labels` | List | List of metadata for an image | +| `load` | Bool | [Load](https://docs.docker.com/engine/reference/commandline/buildx_build/#load) is a shorthand for `--output=type=docker` (default `false`) | +| `network` | String | Set the networking mode for the `RUN` instructions during build | +| `no-cache` | Bool | Do not use cache when building the image (default `false`) | +| `no-cache-filters` | List/CSV | Do not cache specified stages | +| `outputs`¹ | List | List of [output destinations](https://docs.docker.com/engine/reference/commandline/buildx_build/#output) (format: `type=local,dest=path`) | +| `platforms` | List/CSV | List of [target platforms](https://docs.docker.com/engine/reference/commandline/buildx_build/#platform) for build | +| `provenance` | Bool/String | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build (shorthand for `--attest=type=provenance`) | +| `pull` | Bool | Always attempt to pull all referenced images (default `false`) | +| `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) | +| `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) | +| `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) | +| `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) | +| `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) | +| `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build | +| `tags` | List/CSV | List of tags | +| `target` | String | Sets the target stage to build | +| `ulimit` | List | [Ulimit](https://docs.docker.com/engine/reference/commandline/buildx_build/#ulimit) options (e.g., `nofile=1024:1024`) | +| `github-token` | String | GitHub Token used to authenticate against a repository for [Git context](#git-context) (default `${{ github.token }}`) | > **Note** > diff --git a/action.yml b/action.yml index e004503..a3654ea 100644 --- a/action.yml +++ b/action.yml @@ -37,6 +37,9 @@ inputs: context: description: "Build's context is the set of files located in the specified PATH or URL" required: false + env-secrets: + description: "List of secrets to expose to the build using environment variables from the GitHub runner (e.g., MY_SECRET=MY_ENV_VAR)" + required: false file: description: "Path to the Dockerfile" required: false diff --git a/src/context.ts b/src/context.ts index a0d2b22..ca3964d 100644 --- a/src/context.ts +++ b/src/context.ts @@ -17,6 +17,7 @@ export interface Inputs { cacheTo: string[]; cgroupParent: string; context: string; + envSecrets: string[]; file: string; labels: string[]; load: boolean; @@ -51,6 +52,7 @@ export async function getInputs(): Promise { cacheTo: Util.getInputList('cache-to', {ignoreComma: true}), cgroupParent: core.getInput('cgroup-parent'), context: core.getInput('context') || Context.gitContext(), + envSecrets: Util.getInputList('env-secrets', {ignoreComma: true}), file: core.getInput('file'), labels: Util.getInputList('labels', {ignoreComma: true}), load: core.getBooleanInput('load'), @@ -116,6 +118,13 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit): if (inputs.cgroupParent) { args.push('--cgroup-parent', inputs.cgroupParent); } + await Util.asyncForEach(inputs.envSecrets, async envSecret => { + try { + args.push('--secret', BuildxInputs.resolveBuildSecretEnv(envSecret)); + } catch (err) { + core.warning(err.message); + } + }); if (inputs.file) { args.push('--file', inputs.file); }