Conversation
docker-compatible container build --secret id=aws,... for RUN --mount=type=secret
|
I haven't done much Swift before, so watch out for any stupid mistakes I may have made. One design caveat: I passed secrets by copying the build-args code, because they're functionally the same. But, systems are supposed to take care that the secret values aren't logged or stored anywhere, so HTTP headers are a much riskier way to send them than transporting them separately in a new BuildTransfer. I nevertheless used the headers to send the secrets because 1. it seemed easier 2. I didn't notice anything that would log or record these headers 3. it looked like the headers and BuildTransfers alike are just data sent through gRPC, so, not much practical difference right now. |
| } | ||
|
|
||
| var secretsData: [String: Data] = [:] | ||
| for secret in self.secret { |
There was a problem hiding this comment.
Could we move this part under validate function? #1273 as an example.
There was a problem hiding this comment.
Moved it. Let me know if I did what you were expecting.
2 participants
docker-compatible
--secret id=key,...arg forcontainer build, that works with Dockerfiles withRUN --mount=type=secretRequires apple/container-builder-shim#69
Type of Change
Motivation and Context
Adds support for Dockerfiles that use build secrets (e.g.
RUN --mount=type=secret ...)Testing