sylus
commented
2 years ago Yeah so this was never added as honestly I wasn't sure the best way to handle this.
The problem with this current method is then the credentials would then be baked into the container so anyone who has access to the container can see this file. Which if you create a token with proper scope just for a client might be ok and we can override the Dockerfile at your level using a patch.
I think this was not a convention I wanted to add natively that would opt people into. Also I could for-see people accidentally pushing their auth tokens to a public repo.
It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.I think the best way at the moment is to use docker build secrets:
Or the more legacy way of using multi stage:
smulvih2
I need to support private GitHub repos in my builds, which requires an auth.json file at the root of the repo. Adding a conditional copy for auth.json. Tested with private GitHub repo and works as expected. Also tested without an auth.json file in repo and doesn't fail on COPY command. Could also be used for private packagist and GitLab repos.