diff --git a/.github/vale/config/vocabularies/Docker/accept.txt b/.github/vale/config/vocabularies/Docker/accept.txt index a9dbdd0c0a..775f1cf3da 100644 --- a/.github/vale/config/vocabularies/Docker/accept.txt +++ b/.github/vale/config/vocabularies/Docker/accept.txt @@ -92,6 +92,7 @@ SLES SLSA SPDX SQLite +SSH SSO Slack Snyk diff --git a/content/build/ci/github-actions/secrets.md b/content/build/ci/github-actions/secrets.md index 39004ae70e..7e3a4e524e 100644 --- a/content/build/ci/github-actions/secrets.md +++ b/content/build/ci/github-actions/secrets.md @@ -4,6 +4,18 @@ description: Example using secret mounts with GitHub Actions keywords: ci, github actions, gha, buildkit, buildx, secret --- +A build secret is sensitive information, such as a password or API token, consumed as part of the build process. +Docker Build supports two forms of secrets: + +- [Secret mounts](#secret-mounts) add secrets as files in the build container + (under `/run/secrets` by default). +- [SSH mounts](#ssh-mounts) add SSH agent sockets or keys into the build container. + +This page shows how to use secrets with GitHub Actions. +For an introduction to secrets in general, see [Build secrets](../../building/secrets.md). + +## Secret mounts + In the following example uses and exposes the [`GITHUB_TOKEN` secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret) as provided by GitHub in your workflow. @@ -87,3 +99,137 @@ secrets: | > **Note** > > Double escapes are needed for quote signs. + +## SSH mounts + +SSH mounts let you authenticate with SSH servers. +For example to perform a `git clone`, +or to fetch application packages from a private repository. + +The following Dockerfile example uses an SSH mount +to fetch Go modules from a private GitHub repository. + +{{< accordion title="Dockerfile" >}} + +```dockerfile +# syntax=docker/dockerfile:1 + +ARG GO_VERSION="{{% param example_go_version %}}" + +FROM golang:${GO_VERSION}-alpine AS base +ENV CGO_ENABLED=0 +ENV GOPRIVATE="github.com/foo/*" +RUN apk add --no-cache file git rsync openssh-client +RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts +WORKDIR /src + +FROM base AS vendor +# this step configure git and checks the ssh key is loaded +RUN --mount=type=ssh <}} + +To build this Dockerfile, you must specify an SSH mount that the builder can +use in the steps with `--mount=type=ssh`. + +The following GitHub Action workflow uses the `MrSquaare/ssh-setup-action` +third-party action to bootstrap SSH setup on the GitHub runner. The action +creates a private key defined by the GitHub Action secret `SSH_GITHUB_PPK` and +adds it to the SSH agent socket file at `SSH_AUTH_SOCK`. The SSH mount in the +build step assume `SSH_AUTH_SOCK` by default, so there's no need to specify the +ID or path for the SSH agent socket explicitly. + +{{< tabs >}} +{{< tab name="`docker/build-push-action`" >}} + +```yaml +name: ci + +on: + push: + branches: + - "main" + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Set up SSH + uses: MrSquaare/ssh-setup-action@7bfdda6ef6839504e3a5b2625ad971b17461a0db # v3.0.0 + with: + host: github.com + private-key: ${{ secrets.SSH_GITHUB_PPK }} + private-key-name: github-ppk + - + name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + ssh: default + push: true + tags: user/app:latest +``` + +{{< /tab >}} +{{< tab name="`docker/bake-action`" >}} + +```yaml +name: ci + +on: + push: + branches: + - "main" + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Set up SSH + uses: MrSquaare/ssh-setup-action@7bfdda6ef6839504e3a5b2625ad971b17461a0db # v3.0.0 + with: + host: github.com + private-key: ${{ secrets.SSH_GITHUB_PPK }} + private-key-name: github-ppk + - + name: Build + uses: docker/bake-action@v4 + with: + set: | + *.ssh=default +``` + +{{< /tab >}} +{{< /tabs >}} diff --git a/hugo_stats.json b/hugo_stats.json index 2944f19a70..f11bad8742 100644 --- a/hugo_stats.json +++ b/hugo_stats.json @@ -20,12 +20,12 @@ "Before", "Buildkite", "CLI", - "CLI-Mac-/-Linux", - "CLI-Windows", "CentOS-7-and-RHEL-7", "CentOS-8-RHEL-8-and-Fedora", "Circle-CI", "Clone-with-git", + "Command-Prompt", + "Command-Prompt-CLI", "Compliant", "Debian", "Debian-GNU/Linux", @@ -40,6 +40,8 @@ "For-Mac-with-Apple-silicon", "For-Mac-with-Intel-chip", "For-all-platforms", + "Git-Bash", + "Git-Bash-CLI", "GitHub-Actions", "GitLab", "Go", @@ -58,13 +60,17 @@ "Linux", "Mac", "Mac-/-Linux", + "Mac-/-Linux-/-Git-Bash", + "Mac-/-Linux-/-PowerShell", "Mac-/-Linux-/-Windows-Git-Bash", + "Mac-/-Linux-CLI", "Mac-and-Linux", "Mac-with-Apple-silicon", "Mac-with-Intel-chip", "Node", "Non-compliant", "PowerShell", + "PowerShell-CLI", "Python", "Raw", "React", @@ -175,6 +181,8 @@ "dark:to-magenta-dark-400", "decoration-2", "decoration-blue-light", + "docker/bake-action", + "docker/build-push-action", "drop-shadow", "drop-shadow-sm", "duration-300",