build-push-action icon indicating copy to clipboard operation
build-push-action copied to clipboard
verified publisher icon docker

doc bug: secrets, secret-envs and secret-files documentation is horrible

Open breathe opened this issue 10 months ago • 8 comments

Contributing guidelines

I've found a bug, and:

  • [ ] The documentation does not mention anything about my problem
  • [ ] There are no open or closed issues that are related to my problem

Description

The documentation written:

List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)

I think key=filename in each of these examples is supposed to be explaining that the only allowed syntax is key=value one per line. However as written these meanings are ridiculously unclear. The mapping from these settings to the 'normal' syntax for secrets via docker cli is not clear at all -- which makes the docs linked similarly unclear.

These examples should be rewritten to show the cli options that even a single example use of this feature would correspond to semantically ...

List of [secret files](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret) to expose to the build.  Example: `MY_SECRET=./secret.txt` translates to this cli `--secret id=MY_SECRET,type=file,src=./secret.txt`

Expected behaviour

The documentation would make it easy to interpret what values should be supplied

Actual behaviour

The documentation links to explanation that uses spelling with insufficient information to infer how to interpret that documentation from the source context.

Repository URL

No response

Workflow run URL

No response

YAML workflow

`secret-files:`

Workflow logs

No response

BuildKit logs

Additional info

No response

breathe avatar Feb 24 '25 22:02 breathe

We have dedicated docs for GitHub Actions and secrets usage at https://docs.docker.com/build/ci/github-actions/secrets/

Manuals section also covers CLI usage: https://docs.docker.com/build/building/secrets/

crazy-max avatar Feb 25 '25 08:02 crazy-max

I'm not seeing secret-envs documented there.

synack-badamson avatar Mar 06 '25 22:03 synack-badamson

I'm not seeing secret-envs documented there.

Yes we could have a note for this input in https://docs.docker.com/build/ci/github-actions/secrets/

crazy-max avatar Mar 07 '25 15:03 crazy-max

We have dedicated docs for GitHub Actions and secrets usage at https://docs.docker.com/build/ci/github-actions/secrets/

Manuals section also covers CLI usage: https://docs.docker.com/build/building/secrets/

What information in the readme of this repository explains that there are better docs somewhere else? Could that be added?

daveneeley avatar Mar 12 '25 05:03 daveneeley

What information in the readme of this repository explains that there are better docs somewhere else? Could that be added?

  • https://github.com/docker/build-push-action/blob/84ad562665bb303b549fec655d1b64f9945f3f91/README.md?plain=1#L159
  • https://github.com/docker/build-push-action/blob/84ad562665bb303b549fec655d1b64f9945f3f91/README.md?plain=1#L251-L253

crazy-max avatar Mar 14 '25 13:03 crazy-max

whats the difference betwen secrets and secret-envs ?

Edit: Note for future me:

How to make env works github-actions

      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          ...
          secrets: |
            SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}

dockerfile

RUN --mount=type=secret,id=SENTRY_AUTH_TOKEN,env=SENTRY_AUTH_TOKEN \
  bun run build

;-)

GorlikItsMe avatar Mar 19 '25 09:03 GorlikItsMe

This is how i was able to use the secrets in github actions

      - name: Build and push to ECR
        uses: docker/build-push-action@v6
        with:
          platforms: linux/amd64
          context: .
          push: true
          secrets: |
            AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
            AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
            AWS_REGION=${{ vars.AWS_REGION }}

# Builder stage code not pasted here

FROM public.ecr.aws/aws-cli/aws-cli:latest AS uploader

WORKDIR /files

ARG NEXT_ASSET_BUCKET_NAME
ENV NEXT_ASSET_BUCKET_NAME=$NEXT_ASSET_BUCKET_NAME

COPY --from=builder /build/.next/static ./static

RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID \
    --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \
    --mount=type=secret,id=AWS_SESSION_TOKEN \
    --mount=type=secret,id=AWS_REGION \
    bash -c '\
    aws configure set aws_access_key_id "$(cat /run/secrets/AWS_ACCESS_KEY_ID)" && \
    aws configure set aws_secret_access_key "$(cat /run/secrets/AWS_SECRET_ACCESS_KEY)" && \
    aws configure set region "$(cat /run/secrets/AWS_REGION)" && \
    aws sts get-caller-identity && \
    aws s3 sync ./static "s3://'"$NEXT_ASSET_BUCKET_NAME"'/_next/static" \
        --delete \
        --no-progress \
        --cache-control "max-age=604800" 
    '

ankurk91 avatar Apr 08 '25 11:04 ankurk91

@GorlikItsMe i couldn't make this way work with pnpm :(

y-nk avatar Jun 09 '25 07:06 y-nk