Skip to content

feat(docker-build): add secret-build-args for secret-valued build args #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
samuelho-dev wants to merge 1 commit into from
Closed

feat(docker-build): add secret-build-args for secret-valued build args #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 22 additions & 2 deletions .github/workflows/docker-build-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,16 @@ on:
registry-password:
description: 'Registry password/token'
required: false
secret-build-args:
description: >-
Build args whose VALUES are secrets (KEY=VALUE, one per line), merged
with `build-args`. Pass these here, NOT via a caller job `output` —
GitHub strips secret values from job outputs, so an output handoff
silently yields empty build-args. Secrets resolve inside this job's
steps, so they reach the build correctly. NOTE: build-args bake into
image layers (visible via `docker history`) — use only for values that
are public anyway (e.g. NEXT_PUBLIC_*), never for true secrets.
required: false
outputs:
digest:
description: 'Image digest (sha256:...)'
Expand Down Expand Up @@ -146,12 +156,22 @@ jobs:

- name: Parse build arguments
id: build-args
if: inputs.build-args != ''
shell: bash
# Merge plain `build-args` with `secret-build-args`. The secret values
# are read from an env var (not interpolated into the script body) so
# they aren't echoed; GitHub masks them in logs, and step outputs keep
# their real values WITHIN this job (only cross-job outputs get stripped,
# which is the bug this input exists to avoid). docker/build-push-action
# de-dupes by key, so a key in both wins from whichever appears last —
# secret args are appended last so they take precedence.
env:
PLAIN_BUILD_ARGS: ${{ inputs.build-args }}
SECRET_BUILD_ARGS: ${{ secrets.secret-build-args }}
run: |
{
echo "args<<EOF"
echo "${{ inputs.build-args }}"
[ -n "$PLAIN_BUILD_ARGS" ] && printf '%s\n' "$PLAIN_BUILD_ARGS"
[ -n "$SECRET_BUILD_ARGS" ] && printf '%s\n' "$SECRET_BUILD_ARGS"
echo "EOF"
} >> "$GITHUB_OUTPUT"

Expand Down
Loading