Closed Goldziher closed 6 months ago
Only the first two build arguments are parsed and the rest of them remain as a single string:
This means one of the arg's value is not properly escaped and probably has a "
char in its value. This is similar to how secrets parsing work: https://docs.docker.com/build/ci/github-actions/secrets/
Also I see you're passing sensitive information as build-arg (e.g. SEGMENT_WRITE_KEY=${{secrets.SEGMENT_WRITE_KEY}}
) which is a bad practice as it would leak credentials in the final image. Please use build time secrets for this: https://docs.docker.com/build/ci/github-actions/secrets/. More info https://docs.docker.com/build/building/secrets/.
@dvdksn I think we should have a similar page like "Secrets" for build arguments in our GHA docs. We could show both cases where user wants to set build arg with the build-push-action and another one with bake-action. WDYT?
Only the first two build arguments are parsed and the rest of them remain as a single string:
This means one of the arg's value is not properly escaped and probably has a
"
char in its value. This is similar to how secrets parsing work: https://docs.docker.com/build/ci/github-actions/secrets/Also I see you're passing sensitive information as build-arg (e.g.
SEGMENT_WRITE_KEY=${{secrets.SEGMENT_WRITE_KEY}}
) which is a bad practice as it would leak credentials in the final image. Please use build time secrets for this: https://docs.docker.com/build/ci/github-actions/secrets/. More info https://docs.docker.com/build/building/secrets/.@dvdksn I think we should have a similar page like "Secrets" for build arguments in our GHA docs. We could show both cases where user wants to set build arg with the build-push-action and another one with bake-action. WDYT?
there was a line break inside one of the values.
Yes. But this just means that the parsing is pretty brittle - its a very hard to identify issue.
Thanks for the tip about using secrets, ill certainly do this.
Yes. But this just means that the parsing is pretty brittle - its a very hard to identify issue.
Agree I will take a look if we can detect these cases and warn about it.
Current limitation with GitHub Actions inputs makes it hard to detect these cases but will look forward when GitHub implements objects for inputs. We might also consider using a new format such as YAML:
build-args: |
- BACKEND_URL: |
${{vars.BACKEND_URL}}
- BUILD_TARGET: |
${{env.SERVICE_NAME}}
Current limitation with GitHub Actions inputs makes it hard to detect these cases but will look forward when GitHub implements objects for inputs. We might also consider using a new format such as YAML:
build-args: | - BACKEND_URL: | ${{vars.BACKEND_URL}} - BUILD_TARGET: | ${{env.SERVICE_NAME}}
Thanks for your prompt replies ! Very nice 👍
Contributing guidelines
I've found a bug, and:
Description
There is an indeterminate behaviour parsing multiple build args. Sometimes it works as intended, sometimes the parsing results in a bug.
Given the following configuration:
I am seeing a bug where the commands are sometimes parsed correctly and sometimes not.
Expected behaviour
All build arguments are parsed correctly and have
--build-arg
set before them:Actual behaviour
Only the first two build arguments are parsed and the rest of them remain as a single string:
Repository URL
No response
Workflow run URL
No response
YAML workflow
Workflow logs
No response
BuildKit logs
No response
Additional info
No response