ci: secret job to check for invalid secrets

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

.github/workflows/ci.yml

@@ -302,6 +302,29 @@ jobs:
         run: |
           docker image inspect myimage:latest
 
+  secret:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secrets: |
+            MYSECRET=foo
+            INVALID_SECRET=
+
   network:
     runs-on: ubuntu-latest
     steps:

__tests__/buildx.test.ts

@@ -137,8 +137,7 @@ describe('getSecret', () => {
       }
       expect(true).toBe(!invalid);
       expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
-      const secretValue = await fs.readFileSync(tmpNameSync, 'utf-8');
+      expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
-      expect(secretValue).toEqual(exValue);
     } catch (err) {
       // eslint-disable-next-line jest/no-conditional-expect
       expect(true).toBe(invalid);

test/secret.Dockerfile

@@ -0,0 +1,4 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN --mount=type=secret,id=MYSECRET \
+  echo "MYSECRET=$(cat /run/secrets/MYSECRET)"