Open jshbrntt opened 1 month ago
When passing a mutli-line secret as specified in this documentation.
If the secret contains new line characters at the end, they will be trimmed leading to a malformed secret value during the docker build step.
docker build
This is problematic for secrets with significant whitespace such as private SSH keys.
The output of xxd in the docker build step should contain the whitespace declared as part of the secrets input variable.
xxd
secrets
00000000: 5445 5354 4553 5454 4553 5445 5354 5445 TESTESTTESTESTTE 00000010: 5354 4553 5454 4553 5445 5354 0a54 4553 STESTTESTEST.TES 00000020: 5445 5354 5445 5354 4553 5454 4553 5445 TESTTESTESTTESTE 00000030: 5354 5445 5354 4553 540a 5445 5354 4553 STTESTEST.TESTES 00000040: 5454 4553 5445 5354 5445 5354 4553 5454 TTESTESTTESTESTT 00000050: 4553 5445 5354 0a0a 0a0a ESTEST....
As it does when you pass a file (containing trailing whitespace) through a secret mount.
Inside the docker build step.
# ... RUN --mount=type=secret,id=PRIVATE_SSH_KEY,target=/root/.ssh/id_rsa \ xxd /root/.ssh/id_rsa
The output of this step is the following (notice the lack of newline characters at the end)
#8 [ubuntu-base 4/4] RUN --mount=type=secret,id=PRIVATE_SSH_KEY,target=/root/.ssh/id_rsa xxd /root/.ssh/id_rsa #8 0.045 00000000: 5445 5354 4553 5454 4553 5445 5354 5445 TESTESTTESTESTTE #8 0.045 00000010: 5354 4553 5454 4553 5445 5354 0a54 4553 STESTTESTEST.TES #8 0.045 00000020: 5445 5354 5445 5354 4553 5454 4553 5445 TESTTESTESTTESTE #8 0.045 00000030: 5354 5445 5354 4553 540a 5445 5354 4553 STTESTEST.TESTES #8 0.045 00000040: 5454 4553 5445 5354 5445 5354 4553 5454 TTESTESTTESTESTT #8 0.045 00000050: 4553 5445 5354 ESTEST
No response
- uses: docker/build-push-action@v6 with: secrets: | "PRIVATE_SSH_KEY=TESTESTTESTESTTESTESTTESTEST TESTESTTESTESTTESTESTTESTEST TESTESTTESTESTTESTESTTESTEST "
Contributing guidelines
I've found a bug, and:
Description
When passing a mutli-line secret as specified in this documentation.
If the secret contains new line characters at the end, they will be trimmed leading to a malformed secret value during the
docker buildstep.This is problematic for secrets with significant whitespace such as private SSH keys.
Expected behaviour
The output of
xxdin thedocker buildstep should contain the whitespace declared as part of thesecretsinput variable.As it does when you pass a file (containing trailing whitespace) through a secret mount.
Actual behaviour
Inside the
docker buildstep.The output of this step is the following (notice the lack of newline characters at the end)
Repository URL
No response
Workflow run URL
No response
YAML workflow
Workflow logs
No response
BuildKit logs
No response
Additional info
No response