chore: use secret file instead of secret env Docker mounts

renlabs-dev · Dec 26, 2024 · 21c6501 · 21c6501
1 parent e0db974
commit 21c6501
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 8 deletions.
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -34,18 +34,20 @@ jobs:
         id: prepare
         run: |
           echo "SANITIZED_REF=$(echo "${GITHUB_REF##*/}" | tr '/' '-')" >> $GITHUB_ENV
-          echo "AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID }}" >> $GITHUB_ENV
-          echo "AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> $GITHUB_ENV
+          echo "${{ secrets.AWS_ACCESS_KEY_ID }}"     > "$HOME/aws-key-id.txt"
+          echo "${{ secrets.AWS_SECRET_ACCESS_KEY }}" > "$HOME/aws-secret-key.txt"
+          echo "AWS_ACCESS_KEY_ID_PATH=$HOME/aws-key-id.txt"         >> $GITHUB_ENV
+          echo "AWS_SECRET_ACCESS_KEY_PATH=$HOME/aws-secret-key.txt" >> $GITHUB_ENV
 
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
           file: docker/node.dockerfile
-          secret-envs: |
-            aws-key-id=AWS_ACCESS_KEY_ID
-            aws-secret-key=AWS_SECRET_ACCESS_KEY
+          secret-files: |
+            aws-key-id=${{ env.AWS_ACCESS_KEY_ID_PATH }}
+            aws-secret-key=${{ env.AWS_SECRET_ACCESS_KEY_PATH }}
           build-args: |
             SCCACHE_BUCKET=torus-substrate-cache
             SCCACHE_ENDPOINT=${{ secrets.SCCACHE_ENDPOINT }}

diff --git a/docker/node.dockerfile b/docker/node.dockerfile
@@ -24,8 +24,10 @@ ENV PATH=/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbi
 RUN curl https://sh.rustup.rs -sSf | \
     sh -s -- -y --profile=minimal --default-toolchain=1.82.0
 
-RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \
-    --mount=type=secret,id=aws-secret-key,env=AWS_SECRET_ACCESS_KEY \
+RUN --mount=type=secret,id=aws-key-id \
+    --mount=type=secret,id=aws-secret-key \
+    export AWS_ACCESS_KEY_ID=$(cat /run/secrets/aws-key-id) && \
+    export AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/aws-secret-key) && \
     if [ -n "$AWS_ACCESS_KEY_ID" ]; then \
         curl https://github.com/mozilla/sccache/releases/download/v0.9.0/sccache-v0.9.0-x86_64-unknown-linux-musl.tar.gz \
             -Lo sccache-v0.9.0-x86_64-unknown-linux-musl.tar.gz; \
@@ -38,7 +40,8 @@ RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \
     fi; \
     cargo build -p torus-node --release --locked
 
-RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \
+RUN --mount=type=secret,id=aws-key-id \
+    export AWS_ACCESS_KEY_ID=$(cat /run/secrets/aws-key-id) && \
     if [ -n "$AWS_ACCESS_KEY_ID" ]; then \
         ./sccache --show-stats; \
     fi

diff --git a/docker/secrets/.keep b/docker/secrets/.keep