diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 336023b..fc384fb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,8 +9,6 @@ jobs: calculate-version: name: Calculate Version runs-on: ubuntu-latest - env: - LBHPACKAGESTOKEN: ${{ secrets.LBHPACKAGESTOKEN }} outputs: version: ${{ steps.gitversion.outputs.nuGetVersionV2 }} steps: @@ -35,8 +33,6 @@ jobs: name: Check code formatting runs-on: ubuntu-latest needs: calculate-version - env: - LBHPACKAGESTOKEN: ${{ secrets.LBHPACKAGESTOKEN }} steps: - name: Checkout uses: actions/checkout@v2 @@ -50,23 +46,23 @@ jobs: runs-on: ubuntu-latest needs: calculate-version env: - LBHPACKAGESTOKEN: ${{ secrets.LBHPACKAGESTOKEN }} + LBHPACKAGESTOKEN: ${{ secrets.GITHUB_TOKEN }} outputs: version: ${{ needs.calculate-version.outputs.version }} steps: - name: Checkout uses: actions/checkout@v2 - name: Build - run: docker-compose build hackney-shared-asset-test + run: docker compose build hackney-shared-asset-test - name: Run tests - run: docker-compose run hackney-shared-asset-test + run: docker compose run hackney-shared-asset-test publish-package: name: Publish Package runs-on: ubuntu-latest needs: build-and-test env: - LBHPACKAGESTOKEN: ${{ secrets.LBHPACKAGESTOKEN }} + LBHPACKAGESTOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION: ${{ needs.build-and-test.outputs.version }} steps: - name: Checkout @@ -76,4 +72,4 @@ jobs: - name: Publish the Package run: | cd Hackney.Shared.Asset/bin/Release - dotnet nuget push Hackney.Shared.Asset.*.nupkg -s https://nuget.pkg.github.com/LBHackney-IT/index.json --api-key ${{ secrets.NUGET_KEY }} \ No newline at end of file + dotnet nuget push Hackney.Shared.Asset.*.nupkg -s https://nuget.pkg.github.com/LBHackney-IT/index.json --api-key ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/Hackney.Shared.Asset.Tests/Dockerfile b/Hackney.Shared.Asset.Tests/Dockerfile index f1254fc..55875c9 100644 --- a/Hackney.Shared.Asset.Tests/Dockerfile +++ b/Hackney.Shared.Asset.Tests/Dockerfile @@ -3,8 +3,6 @@ FROM mcr.microsoft.com/dotnet/core/sdk:3.1 # disable microsoft telematry ENV DOTNET_CLI_TELEMETRY_OPTOUT='true' -ARG LBHPACKAGESTOKEN -ENV LBHPACKAGESTOKEN=$LBHPACKAGESTOKEN WORKDIR /app # Copy csproj and restore as distinct layers @@ -13,8 +11,16 @@ COPY ./Hackney.Shared.Asset/Hackney.Shared.Asset.csproj ./Hackney.Shared.Asset/ COPY ./Hackney.Shared.Asset.Tests/Hackney.Shared.Asset.Tests.csproj ./Hackney.Shared.Asset.Tests/ COPY /nuget.config /root/.nuget/NuGet/NuGet.Config -RUN dotnet restore ./Hackney.Shared.Asset/Hackney.Shared.Asset.csproj -RUN dotnet restore ./Hackney.Shared.Asset.Tests/Hackney.Shared.Asset.Tests.csproj +# We mount secrets so they can't end up in logs or build layers. +# We chain both restore commands so we only make the token available +# once and don't store it elsewhere. +# see: +# - https://docs.docker.com/reference/dockerfile/#arg +# - https://docs.docker.com/compose/how-tos/use-secrets/ +RUN --mount=type=secret,id=LBHPACKAGESTOKEN \ + export LBHPACKAGESTOKEN=$(cat /run/secrets/LBHPACKAGESTOKEN) && \ + dotnet restore ./Hackney.Shared.Asset/Hackney.Shared.Asset.csproj && \ + dotnet restore ./Hackney.Shared.Asset.Tests/Hackney.Shared.Asset.Tests.csproj # Copy everything else and build COPY . . diff --git a/docker-compose.yml b/docker-compose.yml index 3fd247c..b2974bb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,5 +6,12 @@ services: build: context: . dockerfile: Hackney.Shared.Asset.Tests/Dockerfile - args: - - LBHPACKAGESTOKEN=${LBHPACKAGESTOKEN} \ No newline at end of file + secrets: + - LBHPACKAGESTOKEN + +# see https://docs.docker.com/compose/how-tos/use-secrets/#build-secrets +# Combines with a "secrets" block in each service to expose it as a file in +# /run/secrets/, e.g. /run/secrets/LBHPACKAGESTOKEN +secrets: + LBHPACKAGESTOKEN: + environment: LBHPACKAGESTOKEN