Use Github secrets in Dockerfile does not work with Github Actions

jrz
July 5, 2022
164 views
1 vote
2 Answers

I have a Github Action to build image from a Dockerfile located in the same repo with the Github Action.

In the Dockerfile I use sensitive data so I chose to use Github Secrets.

Here is my Dockerfile:

From python:3.9.5

ARG NEXUS_USER
ARG NEXUS_PASS

RUN pip install --upgrade pip

RUN pip config set global.extra-index-url https://${NEXUS_USER}:${NEXUS_PASS}@<my nexus endpoint>
RUN pip config set global.trusted-host <my nexus endpoint>

COPY ./src/python /python-scripts

ENTRYPOINT [ "python", "/python-scripts/pipe.py" ]

Actions builds an image using this Dockerfile:

jobs:
  docker:
      runs-on: self-hosted
        .
        .
        .
        .
        .
        - name: build
          run: |
            docker build -t ${GITHUB_REPO} .

Action fails when calling the Github secrets from Dockerfile. What is the proper way to do that? As you can see I tried to add ARG in Dockerfile but that didn’t work as well.

Answers

- Matteo
- July 5, 2022 at 6:23 pm
- 0 votes
0
Is not clear where you are calling secrets from the Dockerfile, BTW you could pass the credentials to the build command using the build-arg flag, like:
```
 docker build 
   --build-arg "NEXUS_USER=${{ secrets.NEXUS_USER }}" 
   --build-arg "NEXUS_PASS=${{ secrets.NEXUS_PASS }}" 
   -t ${GITHUB_REPO} .
```
Login or Signup to reply.

- UgoPalatucci
- March 26, 2023 at 9:50 am
- 0 votes
0
just for people that will visit this page in the future.
The Docker --build-arg argument is not recommended for secrets.

Secrets will remain in the image and whoever downloads the image and inspect it, will see your password.

Docker has its own argument for secrets and its --secret

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.