Allow to use secret file mount

Signed-off-by: CrazyMax <[email protected]>
docker · Feb 14, 2021 · 2a585c8 · 2a585c8
1 parent e5f26cd
commit 2a585c8
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-#syntax=docker/dockerfile:1.1-experimental
+#syntax=docker/dockerfile:1.2
 
 FROM node:12 AS deps
 WORKDIR /src

diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ ___
   * [outputs](#outputs)
 * [Notes](#notes)
   * [Multi-line secret value](#multi-line-secret-value)
+  * [Secret file mount](#secret-file-mount)
 * [Troubleshooting](#troubleshooting)
 * [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
 * [Limitation](#limitation)
@@ -665,6 +666,20 @@ secrets: |
 
 > Note: all quote signs need to be doubled for escaping.
 
+### Secret file mount
+
+If the value of a secret is a file that exists in the workspace then its content will be used as value:
+
+```text
+# secret.txt
+bar
+```
+
+```yaml
+secrets: |
+  MYSECRET=./secret.txt
+```
+
 ## Troubleshooting
 
 See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)

diff --git a/__tests__/buildx.test.ts b/__tests__/buildx.test.ts
@@ -122,6 +122,7 @@ describe('getSecret', () => {
     ['A_SECRET=abcdef0123456789', 'A_SECRET', 'abcdef0123456789', false],
     ['GIT_AUTH_TOKEN=abcdefghijklmno=0123456789', 'GIT_AUTH_TOKEN', 'abcdefghijklmno=0123456789', false],
     ['MY_KEY=c3RyaW5nLXdpdGgtZXF1YWxzCg==', 'MY_KEY', 'c3RyaW5nLXdpdGgtZXF1YWxzCg==', false],
+    [`foo=${path.join(__dirname, 'fixtures', 'secret.txt').split(path.sep).join(path.posix.sep)}`, 'foo', 'bar', false],
     ['aaaaaaaa', '', '', true],
     ['aaaaaaaa=', '', '', true],
     ['=bbbbbbb', '', '', true]

diff --git a/__tests__/fixtures/secret.txt b/__tests__/fixtures/secret.txt
@@ -0,0 +1 @@
+bar
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/buildx.ts b/src/buildx.ts
@@ -21,14 +21,17 @@ export async function getImageID(): Promise<string | undefined> {
 export async function getSecret(kvp: string): Promise<string> {
   const delimiterIndex = kvp.indexOf('=');
   const key = kvp.substring(0, delimiterIndex);
-  const value = kvp.substring(delimiterIndex + 1);
+  let value = kvp.substring(delimiterIndex + 1);
   if (key.length == 0 || value.length == 0) {
     throw new Error(`${kvp} is not a valid secret`);
   }
+  if (fs.existsSync(value)) {
+    value = fs.readFileSync(value, {encoding: 'utf-8'});
+  }
   const secretFile = context.tmpNameSync({
     tmpdir: context.tmpDir()
   });
-  await fs.writeFileSync(secretFile, value);
+  fs.writeFileSync(secretFile, value);
   return `id=${key},src=${secretFile}`;
 }