Use Docker Compose secrets

LBHackney-IT · Oct 1, 2024 · 7375d06 · 7375d06
1 parent c655bce
commit 7375d06
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -62,6 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-and-test
     env:
+      LBHPACKAGESTOKEN: ${{secrets.GITHUB_TOKEN }}
       VERSION: ${{ needs.build-and-test.outputs.version }}
     steps:
       - name: Checkout

diff --git a/Hackney.Shared.HousingSearch.Tests/Dockerfile b/Hackney.Shared.HousingSearch.Tests/Dockerfile
@@ -11,8 +11,13 @@ COPY ./Hackney.Shared.HousingSearch.Tests/Hackney.Shared.HousingSearch.Tests.csp
 COPY /nuget.config /root/.nuget/NuGet/NuGet.Config
 
 # We mount secrets so they can't end up in logs or build layers.
-# see https://docs.docker.com/reference/dockerfile/#arg
-RUN --mount=type=secret,id=LBHPACKAGESTOKEN,env=LBHPACKAGESTOKEN \
+# We chain both restore commands so we only make the token available
+# once and don't store it elsewhere.
+# see:
+#   - https://docs.docker.com/reference/dockerfile/#arg
+#   - https://docs.docker.com/compose/how-tos/use-secrets/ 
+RUN --mount=type=secret,id=LBHPACKAGESTOKEN \
+  export LBHPACKAGESTOKEN=$(cat /run/secrets/LBHPACKAGESTOKEN) && \
   dotnet restore ./Hackney.Shared.HousingSearch/Hackney.Shared.HousingSearch.csproj && \
   dotnet restore ./Hackney.Shared.HousingSearch.Tests/Hackney.Shared.HousingSearch.Tests.csproj
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,3 +7,10 @@ services:
       context: .
       dockerfile: Hackney.Shared.HousingSearch.Tests/Dockerfile
 
+      # Mounts the secret at /run/secrets/LBHPACKAGESTOKEN
+      secrets:
+        - LBHPACKAGESTOKEN
+
+secrets:
+  LBHPACKAGESTOKEN:
+    environment: LBHPACKAGESTOKEN