diff --git a/.github/workflows/staging_finance-accumulator-web-app.yml b/.github/workflows/staging_finance-accumulator-web-app.yml index 387bc52..c7c6bc4 100644 --- a/.github/workflows/staging_finance-accumulator-web-app.yml +++ b/.github/workflows/staging_finance-accumulator-web-app.yml @@ -31,15 +31,15 @@ jobs: with: push: true tags: codespice.azurecr.io/${{ secrets.AzureAppService_ContainerUsername_7669d7e7e983475bb9b74548501f3331 }}/finance_accumulator_web:${{ github.sha }} + secrets: | + id=stripe_key,src=${{ secrets.STRIPE_KEY }} + id=nextauth_url,src=${{ secrets.NEXTAUTH_URL }} + id=nextauth_secret,src=${{ secrets.NEXTAUTH_SECRET }} + id=auth_github_id,src=${{ secrets.AUTH_GITHUB_ID }} + id=auth_github_secret,src=${{ secrets.AUTH_GITHUB_SECRET }} + id=google_client_id,src=${{ secrets.GOOGLE_CLIENT_ID }} + id=google_client_secret,src=${{ secrets.GOOGLE_CLIENT_SECRET }} file: ./docker/staging/Dockerfile - build-args: | - STRIPE_KEY=${{ secrets.STRIPE_KEY }} - NEXTAUTH_URL=${{ secrets.NEXTAUTH_URL }} - NEXTAUTH_SECRET=${{ secrets.NEXTAUTH_SECRET }} - AUTH_GITHUB_ID=${{ secrets.AUTH_GITHUB_ID }} - AUTH_GITHUB_SECRET=${{ secrets.AUTH_GITHUB_SECRET }} - GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_CLIENT_ID }} - GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_CLIENT_SECRET }} deploy: runs-on: ubuntu-latest diff --git a/docker/staging/Dockerfile b/docker/staging/Dockerfile index 868e74b..14865c3 100644 --- a/docker/staging/Dockerfile +++ b/docker/staging/Dockerfile @@ -1,5 +1,16 @@ FROM node:18-alpine AS base +# Example of using a secret for installing npm packages +RUN --mount=type=secret,id=stripe_key \ + --mount=type=secret,id=nextauth_url \ + --mount=type=secret,id=nextauth_secret \ + --mount=type=secret,id=auth_github_id \ + --mount=type=secret,id=auth_github_secret \ + --mount=type=secret,id=google_client_id \ + --mount=type=secret,id=google_client_secret \ + echo "Using secrets in the build" + + # 1. Install dependencies only when needed FROM base AS deps # Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.