search

entur / gha-docker

GitHub Actions for working with Docker
European Union Public License 1.2
0 stars 1 forks source link

Add possibility of passing artifact registry credentials to docker build #123

Open nils1k opened 1 week ago

nils1k commented 1 week ago

Is your feature request related to a problem? Please describe. We build our application using a multi-stage Docker build and have a dependency on artefacts residing in an internal registry. Currently, it is not supported to pass credentials to the docker/build-push-action in the shared workflow build, i.e. the action itself supports it, but it is not among the supported inputs in this workflow.

Describe the solution you'd like I want to be able to pass custom arguments to the docker build through the build-args input in docker/build-push-action. Here is an example:

Dockerfile

# Dockerfile
ARG REGISTRY_USER
ARG REGISTRY_APIKEY

COPY src /app/src
COPY build.gradle.kts settings.gradle.kts /app/
RUN gradle build

build.gradle.kts

repositories {
    maven {
        setUrl("myRegistry")
        credentials {
            username = System.getenv("REGISTRY_USER")
            password = System.getenv("REGISTRY_APIKEY")
        }
    }
}

build.yml

name: build
on: [push, pull_request]

env:
  REGISTRY_USER: '${{ secrets.REGISTRY_USER }}'
  ARTIFACTORY_APIKEY: '${{ secrets.REGISTRY_APIKEY }}'

jobs:
  build:
    name: Build application
    needs: lint
    uses: entur/gha-docker/.github/workflows/build.yml@v1.3.8
    with:
      build-args: |
        --build-arg REGISTRY_USER=${REGISTRY_USER}
        --build-arg REGISTRY_APIKEY=${REGISTRY_APIKEY}

Describe alternatives you've considered Use secret mounts.

Additional context N/A

Glenn-Terjesen commented 1 week ago

In your example, change to:

with:
      build-args: |
        REGISTRY_USER
        REGISTRY_APIKEY

We don't have to show/set the values if not necessary :-) ref: https://docs.docker.com/reference/cli/docker/buildx/build/#build-arg

In the Dockerfile, dont you have to set the ENV as well as ARG? (I might be outdated on that one) (and with a default value)

ARG REGISTRY_USER nobody
ENV REGISTRY_USER =$REGISTRY_USER

Other than that I think this will be a great addition :-)

nils1k commented 1 week ago

Agree, that's a good point. I think the ENV can be omitted, but that is easy enough to test. Thanks :-) Should I create a fork and start working on the feature, then?

Glenn-Terjesen commented 6 days ago

Unfortunately the ARGS are visible in a docker history command. https://github.com/docker/cli/issues/2473 Passing secrets/secret-files to the action got messy really fast. We are currently discussing other methods of doing this.