✨ Add support to secret env

[vinicius73]

Allow to use environment variables as secret during docker build.

---

Eventually we need pass some environment variables to docker build to allow interactions with dynamic sources like AWS.

Those environment variables are avaible after some previous github actions steps, like configure-aws-credentials

I use the docker/build-push-action action in a very strict environment, is encapsulated by other actions who I don't have access directly.

This change (and another change in build-push-action) will unlock this limitation and solve the problem.

docker build --progress plain \
    --secret id=AWS_ACCESS_KEY_ID,env="AWS_ACCESS_KEY_ID" \
    --secret id=AWS_SECRET_ACCESS_KEY,env="AWS_SECRET_ACCESS_KEY" \
    --secret id=AWS_SESSION_TOKEN,env="AWS_SESSION_TOKEN" \
    -t image:tag

[crazy-max]

and another change in build-push-action

I was wondering what we were going to do in docker/build-push-action. Perhaps you were thinking of a new secret-envs input? Thanks for your contrib btw!

[vinicius73]

Yes @crazy-max, a new input option must be created.

[crazy-max]

LGTM thanks

[vinicius73]

Thanks @crazy-max.
Can you release a new version with this change?

[crazy-max]

@vinicius73 Updated the toolkit on build push action repo docker/build-push-action#875 if you're willing to contribute for the follow-up 🙏

[crazy-max]

@vinicius73 I was wondering why you could not use the secrets input directly?

      -
        name: Build
        uses: docker/build-push-action@v4
        with:
          context: .
          secrets: |
            "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }}"

[vinicius73]

Hi @crazy-max, unfortunately I don't have direct access to the action.
It's under a external action whon I import in my workflow.

I am only able to pass some arguments to this workflow, and inside that it will call docker build action with my arguments.

Inside my dockerfile I must use the aws credentials, that credentials are loaded in runtime in a previous step.

Because of that I can't pass a environment variable as secret argument.
The variable will be passed to the imported workflow, before the docker build step.
At this point, the variable don't exist yet.

[crazy-max]

Then how do you set secrets when calling this reusable workflow?

[vinicius73]

The AWS creadentials are dinamic and generated with https://github.com/aws-actions/configure-aws-credentials

[crazy-max]

Sure but it still needs to be specified in our action that you want to use envs as secrets. Can you post your workflow please?