Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret-files not found in docker/build-push-action@v6, but works with docker buildx build #1326

Closed
3 tasks done
ni920 opened this issue Feb 20, 2025 · 6 comments
Closed
3 tasks done

Secret-files not found in docker/build-push-action@v6, but works with docker buildx build #1326

ni920 opened this issue Feb 20, 2025 · 6 comments
Labels
status/triage

Comments

@ni920
Copy link

ni920 commented Feb 20, 2025
edited
Loading

Contributing guidelines

I've found a bug, and:

  • The documentation does not mention anything about my problem
  • There are no open or closed issues that are related to my problem

Description

I am using docker/build-push-action@v6 in a GitHub Actions pipeline to build a Docker image.
I need to pass a pip.conf file as a BuildKit secret to authenticate private dependencies, but --mount=type=secret does not find the file inside the container.

However, when I run the same command manually using docker buildx build, it works perfectly.

Expected behaviour

The build should safely pass the pip.conf file and allow the installation of private dependencies similar to the BuildX command.

Actual behaviour

•	The build fails because private dependencies cannot be found.
•	/run/secrets/pip does not exist in the container when using docker/build-push-action@v6.

Repository URL

No response

Workflow run URL

No response

YAML workflow

name: Build and push Docker images

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Configure Python
        run: |
          mkdir -p $GITHUB_WORKSPACE/.config/pip
          touch $GITHUB_WORKSPACE/.config/pip/pip.conf
          chmod 777 $GITHUB_WORKSPACE/.config/pip/pip.conf
          echo "[global]
          extra-index-url = ${{ secrets.CONF }}" > $GITHUB_WORKSPACE/.config/pip/pip.conf

      - name: Build and push Docker images
        uses: docker/build-push-action@v6
        with:
          context: python
          platforms: linux/amd64
          push: false
          pull: true
          tags: myrepo/myimage:latest
          build-args: |
            DOCKER_BUILDKIT=1
            BUILDKIT_INLINE_CACHE=1
          secrets: |
            id=pip,src=$GITHUB_WORKSPACE/.config/pip/pip.conf

Workflow logs

#11 [stage-0  6/19] RUN --mount=type=secret,id=pip cat /run/secrets/pip
#11 0.057 cat: /run/secrets/pip: No such file or directory
#11 ERROR: process "/bin/sh -c cat /run/secrets/pip" did not complete successfully: exit code: 1
------
 > [stage-0  6/19] RUN --mount=type=secret,id=pip cat /run/secrets/pip:
0.057 cat: /run/secrets/pip: No such file or directory
------
WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load

 1 warning found (use docker --debug to expand):
 - JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 45)
Dockerfile:16
--------------------
  14 |     COPY 
  15 |     
  16 | >>> RUN --mount=type=secret,id=pip cat /run/secrets/pip
  17 |     
  18 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c cat /run/secrets/pip" did not complete successfully: exit code: 1

BuildKit logs

/run/secrets/pip]" span="[stage-0  6/19] RUN --mount=type=secret,id=pip cat /run/secrets/pip" spanID=c3a8bc4238784a98 traceID=065f55e9d73222365a821a620ce6e48e
  time="2025-02-20T14:26:53Z" level=error msg="/moby.buildkit.v1.Control/Solve returned error: rpc error: code = Unknown desc = process \"/bin/sh -c cat /run/secrets/pip\" did not complete successfully: exit code: 1" spanID=9f7e0cbc7a43c0c2 traceID=065f55e9d73222365a821a620ce6e48e
  process "/bin/sh -c cat /run/secrets/pip" did not complete successfully: exit code: 1

Additional info

What I Have Checked

The pip.conf file exists in the build context and is not empty.
Running the command manually with docker buildx build works perfectly:

docker buildx build   
 --platform linux/amd64 \  
 --pull \
 --build-arg BUILDKIT_INLINE_CACHE=1 \  
 --secret id=pip,src=$GITHUB_WORKSPACE/.config/pip/pip.conf \   
 -t test:123 \  
 python

BuildKit is enabled (DOCKER_BUILDKIT=1).
Debugging with ls confirms that the file exists before the build starts.
This issue only happens with docker/build-push-action@v6.

I have further analyzed the issue and found the following insights:

  1. Running docker buildx build directly → works.
    The secret is passed correctly, /run/secrets/pip is available.

  2. Using docker/build-push-action@v5 with secret-files: or
    secrets: with the exact same path→ does not work.
    Error: Even though the file exists.

  3. Tried different Paths for the file:

    • $GITHUB_WORKSPACE/.config/pip/pip.conf
    • $GITHUB_WORKSPACE/python/pip.conf
    • $GITHUB_WORKSPACE/pip.conf
    • $HOME/pip.conf
    • /.config/pip/pip.conf
    • python/pip.conf
    • /pip.conf

    → Same Error even though the file exists at every place

I also created a question on Stackoverflow
@crazy-max
Copy link
Member

crazy-max commented Feb 20, 2025
edited
Loading

Same as #293 (comment):

Action inputs don't support/expand shell. You have to use the env def.

In your case:

          secrets: |
            id=pip,src=${{ env.GITHUB_WORKSPACE }}/.config/pip/pip.conf

or you can use the secret-files input:

    secret-files: |
      pip=${{ env.GITHUB_WORKSPACE }}/.config/pip/pip.conf

@ni920
Copy link
Author

ni920 commented Feb 20, 2025

@crazy-max Both suggestions do not work

@crazy-max
Copy link
Member

crazy-max commented Feb 20, 2025
edited
Loading

Can you show full logs of your workflow or link to your repo please?

@ni920
Copy link
Author

ni920 commented Feb 21, 2025

@crazy-max I appreciate your help, but unfortunately, I can’t share the full logs or link to the repository since this is a company project. However, if you let me know which specific details you need, I can provide relevant logs or configurations while ensuring confidentiality.

To clarify, I have tested both of the following approaches:

secret-files: |
  pip=${{ env.GITHUB_WORKSPACE }}/.config/pip/pip.conf

And:

secrets: |
  id=pip,src=${{ env.GITHUB_WORKSPACE }}/.config/pip/pip.conf

Neither of them worked. However, when I use docker buildx build manually, the secret is passed correctly, and /run/secrets/pip is available inside the container.

I also noticed that $GITHUB_WORKSPACE is set automatically, but $env.GITHUB_WORKSPACE appears to be empty by default and not explicitly configured.
Could you clarify how this behaves in docker/build-push-action@v6?

Additionally, if you have a minimal working example that I can run as-is, I would be happy to test it on my setup to compare the results.

Thanks again for your time!

@crazy-max
Copy link
Member

crazy-max commented Feb 21, 2025
edited
Loading

Ah I see why it doesn't work now: https://docs.docker.com/build/ci/github-actions/secrets/

secrets inputs is a list of secrets as key-value pair like GIT_AUTH_TOKEN=token and not a path to the secret.

And secret-files key-filename pair like MY_SECRET=./secret.txt.

See docs https://docs.docker.com/build/ci/github-actions/secrets/ and inputs description in our README: https://github.com/docker/build-push-action/?tab=readme-ov-file#inputs

So in your case you could use secret-files:

secret-files: |
  pip=${{ env.GITHUB_WORKSPACE }}/.config/pip/pip.conf

But it seems env.GITHUB_WORKSPACE is not evaluated after testing:

Image

github.workspace (https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context) seems to work though:

      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Configure Python
        run: |
          mkdir -p $GITHUB_WORKSPACE/.config/pip
          echo "[global]
          extra-index-url = ${{ secrets.BPUSH_1326 }}" > $GITHUB_WORKSPACE/.config/pip/pip.conf
      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: ./bpush-1326
          secret-files: |
            pip=${{ github.workspace }}/.config/pip/pip.conf

Also you could just use secrets and directly pass the file content so you don't need to create the file in previous step:

      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: ./bpush-1326
          secrets: |
            "pip=[global]
            extra-index-url = ${{ secrets.BPUSH_1326 }}"

@ni920
Copy link
Author

ni920 commented Feb 21, 2025

@crazy-max Thank you so much! That finally solved my problem. Using ${{ github.workspace }} for secret-files: and adjusting permissions within the Dockerfile did the trick.

I really appreciate your help – you just saved my week! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crazy-max @ni920