From 7375d062fb7a4d487f8204412df3856e1b3d99c9 Mon Sep 17 00:00:00 2001
From: Ryan Brooks <ryan@slatehorse.com>
Date: Tue, 1 Oct 2024 11:21:46 +0100
Subject: [PATCH] Use Docker Compose secrets

---
 .github/workflows/publish.yml                 | 1 +
 Hackney.Shared.HousingSearch.Tests/Dockerfile | 9 +++++++--
 docker-compose.yml                            | 7 +++++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b4e30d1..26cad4e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -62,6 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-and-test
     env:
+      LBHPACKAGESTOKEN: ${{secrets.GITHUB_TOKEN }}
       VERSION: ${{ needs.build-and-test.outputs.version }}
     steps:
       - name: Checkout
diff --git a/Hackney.Shared.HousingSearch.Tests/Dockerfile b/Hackney.Shared.HousingSearch.Tests/Dockerfile
index df3d242..7c60493 100644
--- a/Hackney.Shared.HousingSearch.Tests/Dockerfile
+++ b/Hackney.Shared.HousingSearch.Tests/Dockerfile
@@ -11,8 +11,13 @@ COPY ./Hackney.Shared.HousingSearch.Tests/Hackney.Shared.HousingSearch.Tests.csp
 COPY /nuget.config /root/.nuget/NuGet/NuGet.Config
 
 # We mount secrets so they can't end up in logs or build layers.
-# see https://docs.docker.com/reference/dockerfile/#arg
-RUN --mount=type=secret,id=LBHPACKAGESTOKEN,env=LBHPACKAGESTOKEN \
+# We chain both restore commands so we only make the token available
+# once and don't store it elsewhere.
+# see:
+#   - https://docs.docker.com/reference/dockerfile/#arg
+#   - https://docs.docker.com/compose/how-tos/use-secrets/ 
+RUN --mount=type=secret,id=LBHPACKAGESTOKEN \
+  export LBHPACKAGESTOKEN=$(cat /run/secrets/LBHPACKAGESTOKEN) && \
   dotnet restore ./Hackney.Shared.HousingSearch/Hackney.Shared.HousingSearch.csproj && \
   dotnet restore ./Hackney.Shared.HousingSearch.Tests/Hackney.Shared.HousingSearch.Tests.csproj
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 28c185b..256edd4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,3 +7,10 @@ services:
       context: .
       dockerfile: Hackney.Shared.HousingSearch.Tests/Dockerfile
 
+      # Mounts the secret at /run/secrets/LBHPACKAGESTOKEN
+      secrets:
+        - LBHPACKAGESTOKEN
+
+secrets:
+  LBHPACKAGESTOKEN:
+    environment: LBHPACKAGESTOKEN