Fix issue #24434: document secret mount behavior#24442
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
github-actions
bot
added
area/build
dvdksn
left a comment
dvdksn
left a comment
There was a problem hiding this comment.
Secrets can appear as files or env vars in the build container. It's already described here: https://docs.docker.com/build/building/secrets/#secret-mounts
Better to cross-reference to that page for details than repeat here.
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
- Replace insecure 'cat' examples that expose secrets with secure usage - Add cross-reference to main secrets documentation - Add warning about never outputting secret values directly - Fix line length issue (wrap long line) - Show proper examples using secrets with curl Addresses reviewer feedback on PR #24442 Assisted-By: docker-agent
|
Thank you for raising the security concern about the insecure example. You're absolutely right that we shouldn't show patterns that could lead to credential exposure. I've updated the documentation to:
The page now focuses exclusively on secure secret handling practices. |
| ### How secrets appear in the build container | ||
|
|
||
| When you use a secret mount, the secret is made available as a file inside the build container. | ||
| By default, secrets are mounted to `/run/secrets/<id>`, where `<id>` is the secret identifier | ||
| you specify in the `--mount` instruction. | ||
|
|
||
| For more details on secret mounts, file locations, and permissions, | ||
| see [Secret mounts](/manuals/build/building/secrets.md#secret-mounts). | ||
|
|
||
| **File location:** | ||
|
|
||
| - Default path: `/run/secrets/<id>` (for example, `/run/secrets/github_token`) | ||
| - Custom path: Use the `target` option to specify a different location | ||
|
|
||
| **Environment variable secrets:** | ||
|
|
||
| When you use the `env` option in your secret mount | ||
| (like `--mount=type=secret,id=github_token,env=GITHUB_TOKEN`), | ||
| the secret file content is automatically loaded into the specified environment variable. | ||
| This is useful when tools expect credentials via environment variables rather than files. | ||
|
|
||
| **Example with custom target:** | ||
|
|
||
| ```dockerfile | ||
| # syntax=docker/dockerfile:1 | ||
| FROM alpine | ||
| # Mount secret to a custom location and use it with curl | ||
| RUN --mount=type=secret,id=github_token,target=/tmp/token \ | ||
| curl -H "Authorization: token $(cat /tmp/token)" https://api.github.com/user | ||
| ``` | ||
|
|
||
| **Example using secret as environment variable:** | ||
|
|
||
| ```dockerfile | ||
| # syntax=docker/dockerfile:1 | ||
| FROM alpine | ||
| # Load secret into environment variable | ||
| RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \ | ||
| curl -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/user | ||
| ``` | ||
|
|
||
| > [!WARNING] | ||
| > Never use commands like `cat`, `echo`, or `printenv` to output secret values directly, | ||
| > as this would expose them in build logs and layer history. | ||
| > Always consume secrets within commands without displaying their values. | ||
|
|
There was a problem hiding this comment.
Again, this is mostly repeating what's in the build secrets doc. Rather than repeating it here, we should just have a brief callout here and link over to the canonical explanation. We don't need a full section here.
|
You're absolutely right. I've simplified this section to just a brief NOTE callout that cross-references the canonical Build secrets documentation. This keeps the page focused on GitHub Actions-specific usage while avoiding duplication of content that's already well-documented at /manuals/build/building/secrets.md. The new callout mentions the key points (default path, env option, target option) and links to the detailed explanation. Commit: 13aff3a |
Assisted-By: docker-agent
- Replace insecure 'cat' examples that expose secrets with secure usage - Add cross-reference to main secrets documentation - Add warning about never outputting secret values directly - Fix line length issue (wrap long line) - Show proper examples using secrets with curl Addresses reviewer feedback on PR #24442 Assisted-By: docker-agent
Replace detailed explanation of secret mount behavior with brief callout that cross-references the canonical Build secrets documentation. This avoids duplicating content that's already covered in detail at /manuals/build/building/secrets.md and keeps the GitHub Actions page focused on the GitHub Actions-specific usage patterns. Assisted-By: docker-agent
dvdksn
force-pushed
the
fix/issue-24434-secret-mount-docs
branch
from
13aff3a to
292d433
Compare
1 participant
Adds documentation explaining how secrets appear inside build containers when using GitHub Actions secret mounts.
Changes:
Fixes #24434