Replace build arguments with docker/compose secrets

Docker's documentation [suggests](https://docs.docker.com/reference/dockerfile/#arg) not to use build arguments to pass secrets, so this change updates the `Dockerfile` to use [secret mounts](https://docs.docker.com/build/building/secrets/#secret-mounts), and the recommended way to [manage secrets in docker compose](https://docs.docker.com/compose/how-tos/use-secrets/).
LBHackney-IT · Oct 8, 2024 · 793cf33 · 793cf33
1 parent 37112f4
commit 793cf33
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/Hackney.Shared.CautionaryAlerts.Tests/Dockerfile b/Hackney.Shared.CautionaryAlerts.Tests/Dockerfile
@@ -12,9 +12,16 @@ COPY ./Hackney.Shared.CautionaryAlerts.sln ./
 COPY ./Hackney.Shared.CautionaryAlerts/Hackney.Shared.CautionaryAlerts.csproj ./Hackney.Shared.CautionaryAlerts/
 COPY ./Hackney.Shared.CautionaryAlerts.Tests/Hackney.Shared.CautionaryAlerts.Tests.csproj ./Hackney.Shared.CautionaryAlerts.Tests/
 COPY /NuGet.Config /root/.nuget/NuGet/NuGet.Config
-
-RUN dotnet restore ./Hackney.Shared.CautionaryAlerts/Hackney.Shared.CautionaryAlerts.csproj
-RUN dotnet restore ./Hackney.Shared.CautionaryAlerts.Tests/Hackney.Shared.CautionaryAlerts.Tests.csproj
+# We mount secrets so they can't end up in logs or build layers.
+# We chain both restore commands so we only make the token available
+# once and don't store it elsewhere.
+# see:
+#   - https://docs.docker.com/reference/dockerfile/#arg
+#   - https://docs.docker.com/compose/how-tos/use-secrets/
+RUN --mount=type=secret,id=LBHPACKAGESTOKEN \
+  export LBHPACKAGESTOKEN=$(cat /run/secrets/LBHPACKAGESTOKEN) && \
+  dotnet restore ./Hackney.Shared.CautionaryAlerts/Hackney.Shared.CautionaryAlerts.csproj && \
+  dotnet restore ./Hackney.Shared.CautionaryAlerts.Tests/Hackney.Shared.CautionaryAlerts.Tests.csproj
 
 # Copy everything else and build
 COPY . .