Use GITHUB_TOKEN in GitHub Actions

.github/workflows/publish.yml

@@ -10,8 +10,6 @@ jobs:
   calculate-version:
     name: Calculate Version
     runs-on: ubuntu-latest
-    env:
-      LBHPACKAGESTOKEN: ${{secrets.LBHPACKAGESTOKEN }}
     outputs:
       version: ${{ steps.gitversion.outputs.nuGetVersionV2 }}
     steps:
@@ -36,8 +34,6 @@ jobs:
     name: Check code formatting
     runs-on: ubuntu-latest
     needs: calculate-version
-    env:
-      LBHPACKAGESTOKEN: ${{secrets.LBHPACKAGESTOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -51,16 +47,16 @@ jobs:
     runs-on: ubuntu-latest
     needs: calculate-version
     env:
-      LBHPACKAGESTOKEN: ${{secrets.LBHPACKAGESTOKEN }}
+      LBHPACKAGESTOKEN: ${{secrets.GITHUB_TOKEN }}
     outputs:
       version: ${{ needs.calculate-version.outputs.version }}
     steps:
       - name: Checkout
         uses: actions/checkout@v2
       - name: Build
-        run: docker-compose build hackney-shared-processes-test
+        run: docker compose build hackney-shared-processes-test
       - name: Run tests
-        run: docker-compose run hackney-shared-processes-test
+        run: docker compose run hackney-shared-processes-test
 
   publish-package:
     name: Publish Package
@@ -70,8 +66,7 @@ jobs:
      - check-code-formatting
     env:
       VERSION: ${{ needs.build-and-test.outputs.version }}
-      LBHPACKAGESTOKEN: ${{secrets.LBHPACKAGESTOKEN }}
-      NUGET_DEPLOY_KEY: ${{secrets.NUGET_DEPLOY_KEY }}
+      LBHPACKAGESTOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -80,4 +75,4 @@ jobs:
       - name: Publish the Package
         run: |
           cd Hackney.Shared.Processes/bin/Release
-          dotnet nuget push Hackney.Shared.Processes.*.nupkg -s https://nuget.pkg.github.com/LBHackney-IT/index.json --api-key ${{secrets.NUGET_DEPLOY_KEY }}
+          dotnet nuget push Hackney.Shared.Processes.*.nupkg -s https://nuget.pkg.github.com/LBHackney-IT/index.json --api-key ${{ secrets.GITHUB_TOKEN }}

Hackney.Shared.Processes.Tests/Dockerfile

@@ -3,8 +3,6 @@ FROM mcr.microsoft.com/dotnet/core/sdk:3.1
 # disable microsoft telematry
 ENV DOTNET_CLI_TELEMETRY_OPTOUT='true'
 
-ARG LBHPACKAGESTOKEN
-ENV LBHPACKAGESTOKEN=$LBHPACKAGESTOKEN
 WORKDIR /app
 
 # Copy csproj and restore as distinct layers
@@ -13,8 +11,16 @@ COPY ./Hackney.Shared.Processes/Hackney.Shared.Processes.csproj ./Hackney.Shared
 COPY ./Hackney.Shared.Processes.Tests/Hackney.Shared.Processes.Tests.csproj ./Hackney.Shared.Processes.Tests/
 COPY /nuget.config /root/.nuget/NuGet/NuGet.Config
 
-RUN dotnet restore ./Hackney.Shared.Processes/Hackney.Shared.Processes.csproj
-RUN dotnet restore ./Hackney.Shared.Processes.Tests/Hackney.Shared.Processes.Tests.csproj
+# We mount secrets so they can't end up in logs or build layers.
+# We chain both restore commands so we only make the token available
+# once and don't store it elsewhere.
+# see:
+#   - https://docs.docker.com/reference/dockerfile/#arg
+#   - https://docs.docker.com/compose/how-tos/use-secrets/
+RUN --mount=type=secret,id=LBHPACKAGESTOKEN \
+  export LBHPACKAGESTOKEN=$(cat /run/secrets/LBHPACKAGESTOKEN) && \
+  dotnet restore ./Hackney.Shared.Processes/Hackney.Shared.Processes.csproj && \
+  dotnet restore ./Hackney.Shared.Processes.Tests/Hackney.Shared.Processes.Tests.csproj
 
 # Copy everything else and build
 COPY . .

docker-compose.yml

@@ -6,5 +6,12 @@ services:
     build:
       context: .
       dockerfile: Hackney.Shared.Processes.Tests/Dockerfile
-      args:
-        - LBHPACKAGESTOKEN=${LBHPACKAGESTOKEN}
+      secrets:
+        - LBHPACKAGESTOKEN
+
+# see https://docs.docker.com/compose/how-tos/use-secrets/#build-secrets
+# Combines with a "secrets" block in each service to expose it as a file in
+# /run/secrets/, e.g. /run/secrets/LBHPACKAGESTOKEN
+secrets:
+  LBHPACKAGESTOKEN:
+    environment: LBHPACKAGESTOKEN