I am trying to leverage the secrets passing functionality in a docker build-push process using the corresponding action.
Here is how I am invoking the action
- name: build and push base runtime image
uses: docker/build-push-action@v5
with:
file: path/to/Dockerfile
build-args: |
USERNAME=${{ inputs.username }}
secrets: |
${{ secrets.MY_PASSWORD }}
The Dockerfile
FROM ubuntu:latest
ARG USERNAME
COPY ./test-script.sh .
RUN --mount=type=secret,id=MY_PASSWORD \
cat /run/secrets/MY_PASSWORD
RUN ./test-script.sh ${USERNAME} $(cat /run/secrets/MY_PASSWORD)
The build process fails with:
cat: /run/secrets/MY_PASSWORD: No such file or directory
Why is that?
There are two issues with your code:
you do not pass the secret correctly to the action - you'll have to use "MY_PASSWORD=${{ secrets.MY_PASSWORD }}"
You need to mount the secret on each RUN statement that you will try to use it.
Here are your fixed files:
the pipeline snippet
- name: build and push base runtime image
uses: docker/build-push-action@v5
with:
file: path/to/Dockerfile
build-args: |
USERNAME=${{ inputs.username }}
secrets: |
"MY_PASSWORD=${{ secrets.MY_PASSWORD }}"
and the Dockerfile
FROM ubuntu:latest
ARG USERNAME
COPY ./test-script.sh .
RUN --mount=type=secret,id=MY_PASSWORD \
cat /run/secrets/MY_PASSWORD
RUN --mount=type=secret,id=MY_PASSWORD \
./test-script.sh ${USERNAME} $(cat /run/secrets/MY_PASSWORD)