From 5f0126781708ffd72202981f31f2df01ef2a4380 Mon Sep 17 00:00:00 2001 From: Elias Lundgren <145569914+elias-lundgren@users.noreply.github.com> Date: Tue, 26 Sep 2023 16:34:10 +0200 Subject: [PATCH] feat: add secret-envs input Signed-off-by: Elias Lundgren <145569914+elias-lundgren@users.noreply.github.com> --- .github/workflows/ci.yml | 25 ++++++++++ README.md | 1 + __tests__/context.test.ts | 43 ++++++++++++++++ action.yml | 3 ++ package.json | 2 +- src/context.ts | 9 ++++ yarn.lock | 101 +++++++++++++++++++++++++++++--------- 7 files changed, 161 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62ef229..33479a2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -393,6 +393,31 @@ jobs: MYSECRET=foo INVALID_SECRET= + secret-env: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v4 + - + name: Set up Docker buildx + uses: docker/setup-buildx-action@v3 + with: + version: ${{ inputs.buildx-version || env.BUILDX_VERSION }} + driver-opts: | + image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }} + - + name: Build + uses: ./ + env: + ENV_SECRET: foo + with: + context: . + file: ./test/secret.Dockerfile + secret-envs: | + MYSECRET=ENV_SECRET + INVALID_SECRET= + network: runs-on: ubuntu-latest steps: diff --git a/README.md b/README.md index b6f011b..426e405 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,7 @@ Following inputs can be used as `step.with` keys | `push` | Bool | [Push](https://docs.docker.com/engine/reference/commandline/buildx_build/#push) is a shorthand for `--output=type=registry` (default `false`) | | `sbom` | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`) | | `secrets` | List | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`) | +| `secret-envs` | List/CSV | List of [secrets](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build using environment variables (e.g., MY_SECRET=MY_ENV_VAR) | | `secret-files` | List | List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`) | | `shm-size` | String | Size of [`/dev/shm`](https://docs.docker.com/engine/reference/commandline/buildx_build/#shm-size) (e.g., `2g`) | | `ssh` | List | List of [SSH agent socket or keys](https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh) to expose to the build | diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts index 14cea2c..e05a212 100644 --- a/__tests__/context.test.ts +++ b/__tests__/context.test.ts @@ -619,6 +619,49 @@ nproc=3`], '.' ] ], + [ + 25, + '0.10.0', + new Map([ + ['context', '.'], + ['no-cache', 'false'], + ['load', 'true'], + ['push', 'false'], + ['pull', 'false'], + ['secret-envs', `MY_SECRET=MY_SECRET_ENV +ANOTHER_SECRET=ANOTHER_SECRET_ENV`] + ]), + [ + 'build', + '--secret', 'id=MY_SECRET,env=MY_SECRET_ENV', + '--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV', + '--iidfile', path.join(tmpDir, 'iidfile'), + '--load', + '--metadata-file', path.join(tmpDir, 'metadata-file'), + '.' + ] + ], + [ + 26, + '0.10.0', + new Map([ + ['context', '.'], + ['no-cache', 'false'], + ['load', 'true'], + ['push', 'false'], + ['pull', 'false'], + ['secret-envs', 'MY_SECRET=MY_SECRET_ENV,ANOTHER_SECRET=ANOTHER_SECRET_ENV'] + ]), + [ + 'build', + '--secret', 'id=MY_SECRET,env=MY_SECRET_ENV', + '--secret', 'id=ANOTHER_SECRET,env=ANOTHER_SECRET_ENV', + '--iidfile', path.join(tmpDir, 'iidfile'), + '--load', + '--metadata-file', path.join(tmpDir, 'metadata-file'), + '.' + ] + ], ])( '[%d] given %p with %p as inputs, returns %p', async (num: number, buildxVersion: string, inputs: Map, expected: Array) => { diff --git a/action.yml b/action.yml index e004503..3cdf81f 100644 --- a/action.yml +++ b/action.yml @@ -80,6 +80,9 @@ inputs: secrets: description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)" required: false + secret-envs: + description: "List of secrets to expose to the build using environment variables (e.g., MY_SECRET=MY_ENV_VAR)" + required: false secret-files: description: "List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)" required: false diff --git a/package.json b/package.json index 6df8bd9..5e6bf3a 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,7 @@ "license": "Apache-2.0", "dependencies": { "@actions/core": "^1.10.1", - "@docker/actions-toolkit": "^0.12.0", + "@docker/actions-toolkit": "0.13.0-rc.1", "handlebars": "^4.7.7" }, "devDependencies": { diff --git a/src/context.ts b/src/context.ts index a0d2b22..b14d02d 100644 --- a/src/context.ts +++ b/src/context.ts @@ -30,6 +30,7 @@ export interface Inputs { push: boolean; sbom: string; secrets: string[]; + secretEnvs: string[]; secretFiles: string[]; shmSize: string; ssh: string[]; @@ -64,6 +65,7 @@ export async function getInputs(): Promise { push: core.getBooleanInput('push'), sbom: core.getInput('sbom'), secrets: Util.getInputList('secrets', {ignoreComma: true}), + secretEnvs: Util.getInputList('secret-envs'), secretFiles: Util.getInputList('secret-files', {ignoreComma: true}), shmSize: core.getInput('shm-size'), ssh: Util.getInputList('ssh'), @@ -116,6 +118,13 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit): if (inputs.cgroupParent) { args.push('--cgroup-parent', inputs.cgroupParent); } + await Util.asyncForEach(inputs.secretEnvs, async secretEnv => { + try { + args.push('--secret', BuildxInputs.resolveBuildSecretEnv(secretEnv)); + } catch (err) { + core.warning(err.message); + } + }); if (inputs.file) { args.push('--file', inputs.file); } diff --git a/yarn.lock b/yarn.lock index c529522..48adff6 100644 --- a/yarn.lock +++ b/yarn.lock @@ -731,19 +731,20 @@ dependencies: "@jridgewell/trace-mapping" "0.3.9" -"@docker/actions-toolkit@^0.12.0": - version "0.12.0" - resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.12.0.tgz#aa0ba45ac278234171a12637779b8e2687f25edc" - integrity sha512-yHhXt1te5AWZsmuIUcoAv5fH4kQ2huiLpdkm0pXUHY6GJrVDfClEE5nc6BXWSBDTZIbrKBTkbCjEnK6euWr65g== +"@docker/actions-toolkit@0.13.0-rc.1": + version "0.13.0-rc.1" + resolved "https://registry.yarnpkg.com/@docker/actions-toolkit/-/actions-toolkit-0.13.0-rc.1.tgz#98085dcc1467c0e18f9e1104f81687ffa8b6cd15" + integrity sha512-vdHaxguKszNPDnaAW8kpvKPgmwzf3cmCnBKBT7x9mYedhhYvRmZn17MwD31n5BRrtASktSXUj4S5eVxa532klw== dependencies: "@actions/cache" "^3.2.2" - "@actions/core" "^1.10.0" + "@actions/core" "^1.10.1" "@actions/exec" "^1.1.1" "@actions/github" "^5.1.1" "@actions/http-client" "^2.1.1" "@actions/io" "^1.1.3" "@actions/tool-cache" "^2.0.1" - "@octokit/plugin-rest-endpoint-methods" "^7.2.3" + "@octokit/core" "^5.0.1" + "@octokit/plugin-rest-endpoint-methods" "^10.0.0" async-retry "^1.3.3" csv-parse "^5.5.0" handlebars "^4.7.8" @@ -1134,6 +1135,11 @@ dependencies: "@octokit/types" "^6.0.3" +"@octokit/auth-token@^4.0.0": + version "4.0.0" + resolved "https://registry.yarnpkg.com/@octokit/auth-token/-/auth-token-4.0.0.tgz#40d203ea827b9f17f42a29c6afb93b7745ef80c7" + integrity sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA== + "@octokit/core@^3.6.0": version "3.6.0" resolved "https://registry.yarnpkg.com/@octokit/core/-/core-3.6.0.tgz#3376cb9f3008d9b3d110370d90e0a1fcd5fe6085" @@ -1147,6 +1153,19 @@ before-after-hook "^2.2.0" universal-user-agent "^6.0.0" +"@octokit/core@^5.0.1": + version "5.0.1" + resolved "https://registry.yarnpkg.com/@octokit/core/-/core-5.0.1.tgz#865da2b30d54354cccb6e30861ddfa0e24494780" + integrity sha512-lyeeeZyESFo+ffI801SaBKmCfsvarO+dgV8/0gD8u1d87clbEdWsP5yC+dSj3zLhb2eIf5SJrn6vDz9AheETHw== + dependencies: + "@octokit/auth-token" "^4.0.0" + "@octokit/graphql" "^7.0.0" + "@octokit/request" "^8.0.2" + "@octokit/request-error" "^5.0.0" + "@octokit/types" "^12.0.0" + before-after-hook "^2.2.0" + universal-user-agent "^6.0.0" + "@octokit/endpoint@^6.0.1": version "6.0.5" resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-6.0.5.tgz#43a6adee813c5ffd2f719e20cfd14a1fee7c193a" @@ -1156,6 +1175,15 @@ is-plain-object "^4.0.0" universal-user-agent "^6.0.0" +"@octokit/endpoint@^9.0.0": + version "9.0.1" + resolved "https://registry.yarnpkg.com/@octokit/endpoint/-/endpoint-9.0.1.tgz#c3f69d27accddcb04a3199fcef541804288149d2" + integrity sha512-hRlOKAovtINHQPYHZlfyFwaM8OyetxeoC81lAkBy34uLb8exrZB50SQdeW3EROqiY9G9yxQTpp5OHTV54QD+vA== + dependencies: + "@octokit/types" "^12.0.0" + is-plain-object "^5.0.0" + universal-user-agent "^6.0.0" + "@octokit/graphql@^4.5.8": version "4.6.1" resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-4.6.1.tgz#f975486a46c94b7dbe58a0ca751935edc7e32cc9" @@ -1165,15 +1193,24 @@ "@octokit/types" "^6.0.3" universal-user-agent "^6.0.0" +"@octokit/graphql@^7.0.0": + version "7.0.2" + resolved "https://registry.yarnpkg.com/@octokit/graphql/-/graphql-7.0.2.tgz#3df14b9968192f9060d94ed9e3aa9780a76e7f99" + integrity sha512-OJ2iGMtj5Tg3s6RaXH22cJcxXRi7Y3EBqbHTBRq+PQAqfaS8f/236fUrWhfSn8P4jovyzqucxme7/vWSSZBX2Q== + dependencies: + "@octokit/request" "^8.0.1" + "@octokit/types" "^12.0.0" + universal-user-agent "^6.0.0" + "@octokit/openapi-types@^11.2.0": version "11.2.0" resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-11.2.0.tgz#b38d7fc3736d52a1e96b230c1ccd4a58a2f400a6" integrity sha512-PBsVO+15KSlGmiI8QAzaqvsNlZlrDlyAJYcrXBCvVUxCp7VnXjkwPoFHgjEJXx3WF9BAwkA6nfCUA7i9sODzKA== -"@octokit/openapi-types@^18.0.0": - version "18.0.0" - resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-18.0.0.tgz#f43d765b3c7533fd6fb88f3f25df079c24fccf69" - integrity sha512-V8GImKs3TeQRxRtXFpG2wl19V7444NIOTDF24AWuIbmNaNYOQMWRbjcGDXV5B+0n887fgDcuMNOmlul+k+oJtw== +"@octokit/openapi-types@^19.0.0": + version "19.0.0" + resolved "https://registry.yarnpkg.com/@octokit/openapi-types/-/openapi-types-19.0.0.tgz#0101bf62ab14c1946149a0f8385440963e1253c4" + integrity sha512-PclQ6JGMTE9iUStpzMkwLCISFn/wDeRjkZFIKALpvJQNBGwDoYYi2fFvuHwssoQ1rXI5mfh6jgTgWuddeUzfWw== "@octokit/openapi-types@^7.0.0": version "7.0.0" @@ -1187,6 +1224,13 @@ dependencies: "@octokit/types" "^6.34.0" +"@octokit/plugin-rest-endpoint-methods@^10.0.0": + version "10.0.0" + resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-10.0.0.tgz#040b36d6a15d4c7c534b0f44050051225f884cae" + integrity sha512-16VkwE2v6rXU+/gBsYC62M8lKWOphY5Lg4wpjYnVE9Zbu0J6IwiT5kILoj1YOB53XLmcJR+Nqp8DmifOPY4H3g== + dependencies: + "@octokit/types" "^12.0.0" + "@octokit/plugin-rest-endpoint-methods@^5.13.0": version "5.13.0" resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-5.13.0.tgz#8c46109021a3412233f6f50d28786f8e552427ba" @@ -1195,13 +1239,6 @@ "@octokit/types" "^6.34.0" deprecation "^2.3.1" -"@octokit/plugin-rest-endpoint-methods@^7.2.3": - version "7.2.3" - resolved "https://registry.yarnpkg.com/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-7.2.3.tgz#37a84b171a6cb6658816c82c4082ac3512021797" - integrity sha512-I5Gml6kTAkzVlN7KCtjOM+Ruwe/rQppp0QU372K1GP7kNOYEKe8Xn5BW4sE62JAHdwpq95OQK/qGNyKQMUzVgA== - dependencies: - "@octokit/types" "^10.0.0" - "@octokit/request-error@^2.0.0": version "2.0.2" resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-2.0.2.tgz#0e76b83f5d8fdda1db99027ea5f617c2e6ba9ed0" @@ -1229,6 +1266,15 @@ deprecation "^2.0.0" once "^1.4.0" +"@octokit/request-error@^5.0.0": + version "5.0.1" + resolved "https://registry.yarnpkg.com/@octokit/request-error/-/request-error-5.0.1.tgz#277e3ce3b540b41525e07ba24c5ef5e868a72db9" + integrity sha512-X7pnyTMV7MgtGmiXBwmO6M5kIPrntOXdyKZLigNfQWSEQzVxR4a4vo49vJjTWX70mPndj8KhfT4Dx+2Ng3vnBQ== + dependencies: + "@octokit/types" "^12.0.0" + deprecation "^2.0.0" + once "^1.4.0" + "@octokit/request@^5.3.0": version "5.4.7" resolved "https://registry.yarnpkg.com/@octokit/request/-/request-5.4.7.tgz#fd703ee092e0463ceba49ff7a3e61cb4cf8a0fde" @@ -1255,12 +1301,23 @@ node-fetch "^2.6.7" universal-user-agent "^6.0.0" -"@octokit/types@^10.0.0": - version "10.0.0" - resolved "https://registry.yarnpkg.com/@octokit/types/-/types-10.0.0.tgz#7ee19c464ea4ada306c43f1a45d444000f419a4a" - integrity sha512-Vm8IddVmhCgU1fxC1eyinpwqzXPEYu0NrYzD3YZjlGjyftdLBTeqNblRC0jmJmgxbJIsQlyogVeGnrNaaMVzIg== +"@octokit/request@^8.0.1", "@octokit/request@^8.0.2": + version "8.1.3" + resolved "https://registry.yarnpkg.com/@octokit/request/-/request-8.1.3.tgz#03d7fb9b5fe8b800cd5c10d008f99ac02f27e8b4" + integrity sha512-iUvXP4QmysS8kyE/a4AGwR0A+tHDVxgW6TmPd2ci8/Xc8KjlBtTKSDpZlUT5Y4S4Nu+eM8LvbOYjVAp/sz3Gpg== dependencies: - "@octokit/openapi-types" "^18.0.0" + "@octokit/endpoint" "^9.0.0" + "@octokit/request-error" "^5.0.0" + "@octokit/types" "^12.0.0" + is-plain-object "^5.0.0" + universal-user-agent "^6.0.0" + +"@octokit/types@^12.0.0": + version "12.0.0" + resolved "https://registry.yarnpkg.com/@octokit/types/-/types-12.0.0.tgz#6b34309288b6f5ac9761d2589e3165cde1b95fee" + integrity sha512-EzD434aHTFifGudYAygnFlS1Tl6KhbTynEWELQXIbTY8Msvb5nEqTZIm7sbPEt4mQYLZwu3zPKVdeIrw0g7ovg== + dependencies: + "@octokit/openapi-types" "^19.0.0" "@octokit/types@^5.0.0", "@octokit/types@^5.0.1": version "5.4.1"