Let's use RUN --mount=type=secret when building the job image, to access user's secret build vars without baking them into the image.
Currently, build env vars are passed via regular environment variables, which leaves a trace of a secret in the docker layers history (anyone having access to the image could read the secret build vars).
Build env vars are particularly useful when the job needs to download a third-party library from a private git repository.
Let's use RUN --mount=type=secret when building the job image, to access user's secret build vars without baking them into the image.
Currently, build env vars are passed via regular environment variables, which leaves a trace of a secret in the docker layers history (anyone having access to the image could read the secret build vars).
Build env vars are particularly useful when the job needs to download a third-party library from a private git repository.