build: inject secret into docker build (#648)

* build: inject secret into docker build * disable pr build
gregkonush · Dec 24, 2024 · 46809aa · 46809aa
1 parent a696329
commit 46809aa
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 2 deletions.
diff --git a/.github/workflows/docker-build-common.yaml b/.github/workflows/docker-build-common.yaml
@@ -28,6 +28,8 @@ on:
         required: true
       REGISTRY_TOKEN:
         required: true
+      docker_secrets:
+        required: false
 
 jobs:
   build:
@@ -74,3 +76,5 @@ jobs:
           push: true
           cache-from: type=registry,ref=kalmyk.duckdns.org/lab/${{ inputs.image_name }}:latest
           cache-to: type=inline
+          secrets: |
+            ${{ secrets.docker_secrets }}
diff --git a/.github/workflows/docker-build-push.yaml b/.github/workflows/docker-build-push.yaml
@@ -54,3 +54,4 @@ jobs:
     secrets:
       REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
       REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+      docker_secrets: mapbox_access_token=${{ secrets.NEXT_PUBLIC_MAPBOX_ACCESS_TOKEN }}
diff --git a/apps/findbobastore/Dockerfile b/apps/findbobastore/Dockerfile
@@ -13,7 +13,8 @@ RUN corepack enable
 COPY --from=deps /app/node_modules ./node_modules
 COPY --from=deps /app/apps/findbobastore/node_modules ./apps/findbobastore/node_modules
 COPY . .
-RUN pnpm build:findbobastore
+RUN --mount=type=secret,id=mapbox_access_token,env=NEXT_PUBLIC_MAPBOX_ACCESS_TOKEN \
+  pnpm build:findbobastore
 
 FROM node:lts-alpine AS runner
 WORKDIR /app

diff --git a/scripts/build-findbobastore.sh b/scripts/build-findbobastore.sh
@@ -18,7 +18,7 @@ FULL_IMAGE_NAME="${IMAGE_NAME}:${TAG}"
 
 # Build the Docker image
 echo "Building Docker image: ${FULL_IMAGE_NAME}"
-docker buildx build --platform linux/arm64 -t ${FULL_IMAGE_NAME} -f ${DOCKERFILE} ${CONTEXT_PATH} --push
+docker buildx build --platform linux/arm64 -t ${FULL_IMAGE_NAME} -f ${DOCKERFILE} ${CONTEXT_PATH} --push --secret id=mapbox_access_token,env=NEXT_PUBLIC_MAPBOX_ACCESS_TOKEN
 
 # Check if the build was successful
 if [ $? -eq 0 ]; then