moby
Mounting secret does not seem to work in GitHub workflow
I'm trying to mount a GH secret when building a docker image as shown here. I'm running the job with:
run: |
export DOCKER_BUILDKIT=1
docker build . --file Dockerfile \
--secret id=MY_SECRET
and adding the variable from GH with:
env:
MY_SECRET: ${{ secrets.MY_SECRET }}
When I run echo $MY_SECRET before docker build, I see the *** as output, suggesting the environment variable is set.
My Dockerfile has the following line RUN --mount=type=secret,id=MY_SECRET export MY_SECRET=$(cat /run/secrets/MY_SECRET), however, when I try to access MY_SECRET from a Python script further down, it can't find it.
When I just run RUN --mount=type=secret,id=MY_SECRET cat /run/secrets/MY_SECRET, I get a No such file or directory error for /run/secrets/MY_SECRET.
The beginning of my Dockerfile looks like the following:
# syntax=docker/dockerfile:experimental
# FROM ubuntu:18.04
FROM ubuntu:20.04
SHELL [ "/bin/bash", "--login", "-c" ]
ADD . ./code
WORKDIR /code
docker/dockerfile:experimental is deprecated. If you want to use experimental features labs tag is what you want: https://docs.docker.com/engine/reference/builder/#official-releases
So try with docker/dockerfile:labs or latest stable docker/dockerfile:1.
Same issue persists even with docker/dockerfile:labs and docker/dockerfile:1
To add some information, when I run RUN --mount=type=secret,id=MY_SECRET wc /run/secrets/MY_SECRET I get the expected length output in characters suggesting there is a file at /run/secrets/MY_SECRET containing the secret
Do you repro with:
-
name: Build
uses: docker/build-push-action@v3
with:
context: .
file: Dockerfile
secrets: |
"MY_SECRET=${{ secrets.MY_SECRET }}"
Tried running it this way instead and get the same error. Checking length with wc, I still find the secret with same length, just can't access it later
The issue was with how the secret was then handled in the Dockerfile. Mistake from my side with not realizing it does not persist between layers