0

I'm having trouble passing a secret to build a Docker image through GitHub Actions. Even when I set the variable containing the secret as an environment variable, it seems like the secret is not being utilized in the build process.

I have a Dockerfile that requires sensitive information during the build. I've set up my GitHub repository with the necessary secrets, but when I attempt to access these secrets within the Docker build context, they seem to be unavailable.

What I've Tried

Here’s what I’ve tried with varaible PARCOURS_SECRET:

  1. Setting Up Secrets: I’ve added my secret in the GitHub repository settings under "Secrets".

  2. Using Environment Variables: I attempted to pass the secret as an environment variable in my GitHub Actions workflow.

Here's the relevant workflow file :

name: Build and Push Docker Image
    uses: docker/[email protected] 
    with:
      context: .  # Use the current directory as the build context
      file: parent/composant-business/document-service/Dockerfile  # Specify the Dockerfile to use
      tags: ghcr.io/${{ github.actor }}/parcoursback-documents:${{ steps.get_version.outputs.version }}  # Tag for the built image
      load: true  # Load the image into the Docker daemon (for local use)
      cache-from: type=gha  # Use GitHub Actions cache as a cache source
      cache-to: type=gha,mode=max  # Store cache in GitHub Actions for future builds
      push: true  # Set to true if you want to push to a remote registry
      build-args: |
        PARCOURS_PACKAGES_URL=${{ secrets.PARCOURS_PACKAGES_URL }}
        PARCOURS_MICROSERVICE_VERSION=${{ steps.get_version.outputs.version }}
        PARCOURS_com_group_artifact=${{ vars.PARCOURS_COM_GROUP_ARTIFACT_DOCUMENT }}
        PARCOURS_SECRET=${{ secrets.PARCOURS_TOKEN }}

Here's the relevant part of my Dockerfile:

ARG PARCOURS_SECRET

RUN echo "Taking from : ${PARCOURS_PACKAGES_URL}/${PARCOURS_COM_GROUP_ARTIFACT}/${PARCOURS_MICROSERVICE_VERSION}/exemplaire-service-${PARCOURS_MICROSERVICE_VERSION}-develop.jar"

RUN curl -v -L -o exemplaire-service.jar \
      -H "Authorization: Bearer ${PARCOURS_SECRET}" \
      "${PARCOURS_PACKAGES_URL}/${PARCOURS_COM_GROUP_ARTIFACT}/${PARCOURS_MICROSERVICE_VERSION}/exemplaire-service-${PARCOURS_MICROSERVICE_VERSION}-develop.jar" \
      && ls -lh exemplaire-service.jar

Also notice that , that is how i have passed using secret :

Inside the workflow , it was looking like this :

name: Build and Push Docker Image
    uses: docker/[email protected]
    with:
      context: .  # Use the current directory as the build context
      file: parent/composant-business/exemplaire-service/Dockerfile  # Specify the Dockerfile to use
      tags: ghcr.io/${{ github.actor }}/parcoursback-exemplaire:${{ steps.get_version.outputs.version }}  # Tag for the built image
      load: true  # Load the image into the Docker daemon (for local use)
      cache-from: type=gha  # Use GitHub Actions cache as a cache source
      cache-to: type=gha,mode=max  # Store cache in GitHub Actions for future builds
      push: true  # Set to true if you want to push to a remote registry
      build-args: |
        PARCOURS_PACKAGES_URL=${{ secrets.PARCOURS_PACKAGES_URL }}
        PARCOURS_MICROSERVICE_VERSION=${{ steps.get_version.outputs.version }}
        PARCOURS_com_group_artifact=${{ vars.PARCOURS_COM_GROUP_ARTIFACT_EXEMPLAIRE }}
      secrets:
        PARCOURS_SECRET=${{ secrets.PARCOURS_TOKEN }}

And inisde the docker file :

RUN --mount=type=secret,id=PARCOURS_SECRET,dst=/home/pass_token curl -v -L -o exemplaire-service.jar \
      -H "Authorization: Bearer $(cat /home/pass_token)" \
      "${PARCOURS_PACKAGES_URL}/${PARCOURS_COM_GROUP_ARTIFACT}/${PARCOURS_MICROSERVICE_VERSION}/exemplaire-service-${PARCOURS_MICROSERVICE_VERSION}-develop.jar" \
      && ls -lh exemplaire-service.jar

Also , there is the relevant log concerning the curl command :

#14 0.079   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
#14 0.079                                  Dload  Upload   Total   Spent    Left  Speed
#14 0.079 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 140.82.112.33:443...
#14 0.089 * TCP_NODELAY set
#14 0.095 * Connected to maven.pkg.github.com (140.82.112.33) port 443 (#0)
#14 0.096 * ALPN, offering h2
#14 0.096 * ALPN, offering http/1.1
#14 0.102 * successfully set certificate verify locations:
#14 0.102 *   CAfile: /etc/ssl/certs/ca-certificates.crt
#14 0.102   CApath: /etc/ssl/certs
#14 0.103 } [5 bytes data]
#14 0.103 * TLSv1.3 (OUT), TLS handshake, Client hello (1):
#14 0.103 } [512 bytes data]
#14 0.109 * TLSv1.3 (IN), TLS handshake, Server hello (2):
#14 0.109 { [122 bytes data]
#14 0.109 * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
#14 0.109 { [19 bytes data]
#14 0.114 * TLSv1.3 (IN), TLS handshake, Certificate (11):
#14 0.114 { [4847 bytes data]
#14 0.114 * TLSv1.3 (IN), TLS handshake, CERT verify (15):
#14 0.114 { [520 bytes data]
#14 0.114 * TLSv1.3 (IN), TLS handshake, Finished (20):
#14 0.114 { [36 bytes data]
#14 0.114 * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
#14 0.114 } [1 bytes data]
#14 0.114 * TLSv1.3 (OUT), TLS handshake, Finished (20):
#14 0.114 } [36 bytes data]
#14 0.114 * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
#14 0.114 * ALPN, server accepted to use h2
#14 0.114 * Server certificate:
#14 0.114 *  subject: CN=*.pkg.github.com
#14 0.114 *  start date: Apr  8 00:00:00 2024 GMT
#14 0.114 *  expire date: Apr  8 23:59:59 2025 GMT
#14 0.114 *  subjectAltName: host "maven.pkg.github.com" matched cert's "*.pkg.github.com"
#14 0.114 *  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
#14 0.114 *  SSL certificate verify ok.
#14 0.115 * Using HTTP2, server supports multi-use
#14 0.115 * Connection state changed (HTTP/2 confirmed)
#14 0.115 * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
#14 0.115 } [5 bytes data]
#14 0.115 * Using Stream ID: 1 (easy handle 0x55a63a569650)
#14 0.115 } [5 bytes data]
#14 0.115 > GET /kouamdo/parcoursback/cmr/notep/document-service/2.0-0014/document-service-2.0-0014-develop.jar HTTP/2
#14 0.115 > Host: maven.pkg.github.com
#14 0.115 > user-agent: curl/7.68.0
#14 0.115 > accept: */*
#14 0.115 > authorization: ***
#14 0.115 > 
#14 0.120 { [5 bytes data]
#14 0.120 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
#14 0.120 { [57 bytes data]
#14 0.120 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
#14 0.120 { [57 bytes data]
#14 0.120 * old SSL session ID is stale, removing
#14 0.120 { [5 bytes data]
#14 0.120 * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
#14 0.120 } [5 bytes data]
#14 0.149 < HTTP/2 401 
#14 0.149 < access-control-allow-methods: GET, HEAD, OPTIONS
#14 0.149 < access-control-allow-origin: *
#14 0.149 < content-security-policy: default-src 'none';
#14 0.149 < content-type: text/plain; charset=utf-8
#14 0.149 < server: GitHub Registry
#14 0.149 < strict-transport-security: max-age=31536000;
#14 0.149 < x-content-type-options: nosniff
#14 0.149 < x-frame-options: DENY
#14 0.149 < x-xss-protection: 1; mode=block
#14 0.149 < date: Mon, 27 Jan 2025 14:13:23 GMT
#14 0.149 < content-length: 156
#14 0.149 < x-github-request-id: 45C0:2CDC52:212C7B8:263C61F:67979483
#14 0.149 < 
#14 0.149 { [156 bytes data]
#14 0.149 
100   156  100   156    0     0   2228      0 --:--:-- --:--:-- --:--:--  2228
#14 0.149 * Connection #0 to host maven.pkg.github.com left intact
#14 0.154 -rw-r--r-- 1 root root 156 Jan 27 14:13 document-service.jar
#14 DONE 0.2s

there is the result of gh secret list :

C:\Users\Ledoux\Documents\parcoursback_forked>gh secret list
NAME                         UPDATED
PARCOURS_BD_NAME             about 27 days ago
PARCOURS_BD_URL              about 27 days ago
PARCOURS_DB_PASSWORD         about 27 days ago
PARCOURS_DB_USER             about 27 days ago
PARCOURS_PACKAGES_CONTAINER  about 6 days ago
PARCOURS_PACKAGES_URL        about 28 days ago
PARCOURS_TOKEN               about 26 days ago
PARCOURS_TOKEN1              about 1 month ago
PARCOURS_TOKEN_UPLOAD_REPO   about 6 days ago
SONAR_HOST_URL               about 2 months ago
SONAR_TOKEN                  about 1 month ago

In the logs, I can see that the JAR file is not being downloaded, despite passing it as a secret means that the file is corrupted.

I would appreciate any guidance on how to ensure that my secret is being accessed correctly within the Docker build process. Are there specific steps I should follow to troubleshoot this issue? Thank you!

Improve this question
5
  • In the docker/build-push-action you can also use the secrets, secrets-envs, and secret-files inputs, did you try any of them instead of the build-args? Commented Jan 27 at 15:12
  • yes of course , i have tried it already. i'm facing the same issue Commented Jan 27 at 17:02
  • Could you give us a list of your secrets, for example by ensuring that PARCOURS_TOKEN shows up if you run gh secret list (the Github CLI)? Commented Jan 27 at 17:26
  • Could you show some of the log before the curl command is run / try to output your curl command to the Github Actions log? Make sure your secret is censored before posting it, though Github Actions normally does a good job at that. Commented Jan 27 at 17:30
  • @Dune , how can i catch log before the curl ? i have already send log concerning curl yet Commented Jan 31 at 9:32
Related questions
1703
How to force Docker for a clean build of an image
1520
How do I pass environment variables to Docker containers?
969
How to see docker image contents
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.