From a8b73b6b8acf2ca212ff5691adf2d1a7529bc63f Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Thu, 23 Feb 2023 01:03:11 +0100 Subject: [PATCH] build(gha): move secrets section to dedicated page Signed-off-by: CrazyMax --- _data/toc.yaml | 2 + build/ci/github-actions/examples.md | 99 ----------------------------- build/ci/github-actions/secrets.md | 97 ++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+), 99 deletions(-) create mode 100644 build/ci/github-actions/secrets.md diff --git a/_data/toc.yaml b/_data/toc.yaml index 63e6f66b8f..2d7dfa1ff5 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1611,6 +1611,8 @@ manuals: title: Configuring your builder - path: /build/ci/github-actions/multi-platform/ title: Multi-platform image + - path: /build/ci/github-actions/secrets/ + title: Secrets - path: /build/ci/github-actions/cache/ title: Cache management - path: /build/ci/github-actions/examples/ diff --git a/build/ci/github-actions/examples.md b/build/ci/github-actions/examples.md index e2d4766c29..a991500255 100644 --- a/build/ci/github-actions/examples.md +++ b/build/ci/github-actions/examples.md @@ -142,105 +142,6 @@ jobs: ``` {% endraw %} -## Multi-platform images - - - -## Secrets - -In the following example uses and exposes the [`GITHUB_TOKEN` secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret){:target="blank" rel="noopener" class=""} -as provided by GitHub in your workflow. - -First, create a `Dockerfile` that uses the secret: - -```dockerfile -# syntax=docker/dockerfile:1 -FROM alpine -RUN --mount=type=secret,id=github_token \ - cat /run/secrets/github_token -``` - -In this example, the secret name is `github_token`. The following workflow -exposes this secret using the `secrets` input: - -{% raw %} -```yaml -name: ci - -on: - push: - branches: - - "main" - -jobs: - docker: - runs-on: ubuntu-latest - steps: - - - name: Checkout - uses: actions/checkout@v3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Build - uses: docker/build-push-action@v4 - with: - context: . - platforms: linux/amd64,linux/arm64 - tags: user/app:latest - secrets: | - "github_token=${{ secrets.GITHUB_TOKEN }}" -``` - -{% endraw %} - -> **Note** -> -> You can also expose a secret file to the build with the `secret-files` input: -> -> ```yaml -> secret-files: | -> "MY_SECRET=./secret.txt" -> ``` - -If you're using [GitHub secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets){:target="blank" rel="noopener" class=""} -and need to handle multi-line value, you will need to place the key-value pair -between quotes: - -{% raw %} -```yaml -secrets: | - "MYSECRET=${{ secrets.GPG_KEY }}" - GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789 - "MYSECRET=aaaaaaaa - bbbbbbb - ccccccccc" - FOO=bar - "EMPTYLINE=aaaa - - bbbb - ccc" - "JSON_SECRET={""key1"":""value1"",""key2"":""value2""}" -``` -{% endraw %} - -| Key | Value | -|------------------|-------------------------------------| -| `MYSECRET` | `***********************` | -| `GIT_AUTH_TOKEN` | `abcdefghi,jklmno=0123456789` | -| `MYSECRET` | `aaaaaaaa\nbbbbbbb\nccccccccc` | -| `FOO` | `bar` | -| `EMPTYLINE` | `aaaa\n\nbbbb\nccc` | -| `JSON_SECRET` | `{"key1":"value1","key2":"value2"}` | - -> **Note** -> -> Double escapes are needed for quote signs. - ## Export image to Docker You may want your build result to be available in the Docker client through diff --git a/build/ci/github-actions/secrets.md b/build/ci/github-actions/secrets.md new file mode 100644 index 0000000000..f21293303b --- /dev/null +++ b/build/ci/github-actions/secrets.md @@ -0,0 +1,97 @@ +--- +title: Using secrets with GitHub Actions +keywords: ci, github actions, gha, buildkit, buildx, secret +--- + +In the following example uses and exposes the [`GITHUB_TOKEN` secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret){:target="blank" rel="noopener" class=""} +as provided by GitHub in your workflow. + +First, create a `Dockerfile` that uses the secret: + +```dockerfile +# syntax=docker/dockerfile:1 +FROM alpine +RUN --mount=type=secret,id=github_token \ + cat /run/secrets/github_token +``` + +In this example, the secret name is `github_token`. The following workflow +exposes this secret using the `secrets` input: + +{% raw %} +```yaml +name: ci + +on: + push: + branches: + - "main" + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Set up QEMU + uses: docker/setup-qemu-action@v2 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - + name: Build + uses: docker/build-push-action@v4 + with: + context: . + platforms: linux/amd64,linux/arm64 + tags: user/app:latest + secrets: | + "github_token=${{ secrets.GITHUB_TOKEN }}" +``` + +{% endraw %} + +> **Note** +> +> You can also expose a secret file to the build with the `secret-files` input: +> +> ```yaml +> secret-files: | +> "MY_SECRET=./secret.txt" +> ``` + +If you're using [GitHub secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets){:target="blank" rel="noopener" class=""} +and need to handle multi-line value, you will need to place the key-value pair +between quotes: + +{% raw %} +```yaml +secrets: | + "MYSECRET=${{ secrets.GPG_KEY }}" + GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789 + "MYSECRET=aaaaaaaa + bbbbbbb + ccccccccc" + FOO=bar + "EMPTYLINE=aaaa + + bbbb + ccc" + "JSON_SECRET={""key1"":""value1"",""key2"":""value2""}" +``` +{% endraw %} + +| Key | Value | +|------------------|-------------------------------------| +| `MYSECRET` | `***********************` | +| `GIT_AUTH_TOKEN` | `abcdefghi,jklmno=0123456789` | +| `MYSECRET` | `aaaaaaaa\nbbbbbbb\nccccccccc` | +| `FOO` | `bar` | +| `EMPTYLINE` | `aaaa\n\nbbbb\nccc` | +| `JSON_SECRET` | `{"key1":"value1","key2":"value2"}` | + +> **Note** +> +> Double escapes are needed for quote signs.