Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug parsing build args #1026

Closed
3 tasks done
Goldziher opened this issue Dec 14, 2023 · 5 comments
Closed
3 tasks done

bug parsing build args #1026

Goldziher opened this issue Dec 14, 2023 · 5 comments
Labels
kind/docs

Comments

@Goldziher
Copy link

Contributing guidelines

I've found a bug, and:

  • The documentation does not mention anything about my problem
  • There are no open or closed issues that are related to my problem

Description

There is an indeterminate behaviour parsing multiple build args. Sometimes it works as intended, sometimes the parsing results in a bug.

Given the following configuration:

jobs:
    build:
        runs-on: ubuntu-latest
        timeout-minutes: 15
        permissions:
            contents: read
            id-token: write
        steps:
            - name: Checkout
              id: checkout
              uses: actions/checkout@v4
            - name: Set up QEMU
              uses: docker/setup-qemu-action@v3
            - name: Set up Docker BuildX
              uses: docker/setup-buildx-action@v3
            - name: Build and Push
              uses: docker/build-push-action@v5
              with:
                  push: true
                  context: .
                  file: ${{env.FILE_PATH}}
                  build-args: |
                      BACKEND_URL=${{vars.BACKEND_URL}}
                      BUILD_TARGET=${{env.SERVICE_NAME}}
                      DISCORD_INVITE_URL=${{env.DISCORD_INVITE_URL}}
                      FIREBASE_API_KEY=${{secrets.FIREBASE_API_KEY}}
                      FIREBASE_APP_ID=${{vars.FIREBASE_APP_ID}}
                      FIREBASE_AUTH_DOMAIN=${{vars.FIREBASE_AUTH_DOMAIN}}
                      FIREBASE_MEASUREMENT_ID=${{vars.FIREBASE_MEASUREMENT_ID}}
                      FIREBASE_MESSAGE_SENDER_ID=${{vars.FIREBASE_MESSAGING_SENDER_ID}}
                      FIREBASE_MICROSOFT_TENANT_ID=${{vars.FIREBASE_MICROSOFT_TENANT_ID}}
                      FIREBASE_PROJECT_ID=${{vars.GCP_PROJECT_ID}}
                      FIREBASE_STORAGE_BUCKET=${{vars.FIREBASE_STORAGE_BUCKET}}
                      FRONTEND_HOST=${{vars.FRONTEND_HOST}}
                      SEGMENT_WRITE_KEY=${{secrets.SEGMENT_WRITE_KEY}}
                      SERVICE_NAME=${{env.SERVICE_NAME}}

I am seeing a bug where the commands are sometimes parsed correctly and sometimes not.

Expected behaviour

All build arguments are parsed correctly and have --build-arg set before them:

/usr/bin/docker buildx build --build-arg BACKEND_URL=value --build-arg BUILD_TARGET=value --build-arg DISCORD_INVITE_URL=value --build-arg FIREBASE_API_KEY=value --build-arg FIREBASE_APP_ID=value --build-arg FIREBASE_AUTH_DOMAIN=value --build-arg FIREBASE_MEASUREMENT_ID=value --build-arg FIREBASE_MESSAGE_SENDER_ID=value --build-arg FIREBASE_MICROSOFT_TENANT_ID=value --build-arg FIREBASE_PROJECT_ID=value --build-arg FIREBASE_STORAGE_BUCKET=value --build-arg FRONTEND_HOST=value --build-arg SEGMENT_WRITE_KEY=value --build-arg SERVICE_NAME=value --file ./docker/Dockerfile.frontend --iidfile /home/runner/work/_temp/docker-actions-toolkit-bGcbJX/iidfile <...redacted>

Actual behaviour

Only the first two build arguments are parsed and the rest of them remain as a single string:

/usr/bin/docker buildx build --build-arg BACKEND_URL=value --build-arg BUILD_TARGET=value
DISCORD_INVITE_URL=value
FIREBASE_API_KEY=value
FIREBASE_APP_ID=value
FIREBASE_AUTH_DOMAIN=value
FIREBASE_MEASUREMENT_ID=value
FIREBASE_MESSAGE_SENDER_ID=value
FIREBASE_MICROSOFT_TENANT_ID=value
FIREBASE_PROJECT_ID=value
FIREBASE_STORAGE_BUCKET=value
FRONTEND_HOST=value
SEGMENT_WRITE_KEY=value
SERVICE_NAME=value --file ./docker/Dockerfile.frontend --iidfile /home/runner/work/_temp/docker-actions-toolkit-bGcbJX/iidfile <...redacted>

Repository URL

No response

Workflow run URL

No response

YAML workflow

name: 'Build (Frontend)'
on:
    push:
        branches:
            - main
env:
    SERVICE_NAME: my-service
    FILE_PATH: ./docker/Dockerfile.frontend
    DISCORD_INVITE_URL: https://discord.gg
jobs:
    build:
        runs-on: ubuntu-latest
        timeout-minutes: 15
        permissions:
            contents: read
            id-token: write
        steps:
            - name: Checkout
              id: checkout
              uses: actions/checkout@v4
            - name: Set up QEMU
              uses: docker/setup-qemu-action@v3
            - name: Set up Docker BuildX
              uses: docker/setup-buildx-action@v3
            - name: Build and Push
              uses: docker/build-push-action@v5
              with:
                  push: true
                  context: .
                  file: ${{env.FILE_PATH}}
                  build-args: |
                      BACKEND_URL=${{vars.BACKEND_URL}}
                      BUILD_TARGET=${{env.SERVICE_NAME}}
                      DISCORD_INVITE_URL=${{env.DISCORD_INVITE_URL}}
                      FIREBASE_API_KEY=${{secrets.FIREBASE_API_KEY}}
                      FIREBASE_APP_ID=${{vars.FIREBASE_APP_ID}}
                      FIREBASE_AUTH_DOMAIN=${{vars.FIREBASE_AUTH_DOMAIN}}
                      FIREBASE_MEASUREMENT_ID=${{vars.FIREBASE_MEASUREMENT_ID}}
                      FIREBASE_MESSAGE_SENDER_ID=${{vars.FIREBASE_MESSAGING_SENDER_ID}}
                      FIREBASE_MICROSOFT_TENANT_ID=${{vars.FIREBASE_MICROSOFT_TENANT_ID}}
                      FIREBASE_PROJECT_ID=${{vars.GCP_PROJECT_ID}}
                      FIREBASE_STORAGE_BUCKET=${{vars.FIREBASE_STORAGE_BUCKET}}
                      FRONTEND_HOST=${{vars.FRONTEND_HOST}}
                      SEGMENT_WRITE_KEY=${{secrets.SEGMENT_WRITE_KEY}}
                      SERVICE_NAME=${{env.SERVICE_NAME}}
                  tags: |
                      ${{vars.GCP_REGION}}-docker.pkg.dev/${{vars.GCP_PROJECT_ID}}/basemind/${{env.SERVICE_NAME}}:latest
                      ${{vars.GCP_REGION}}-docker.pkg.dev/${{vars.GCP_PROJECT_ID}}/basemind/${{env.SERVICE_NAME}}:${{github.sha}}

``

Workflow logs

No response

BuildKit logs

No response

Additional info

No response
@crazy-max
Copy link
Member

crazy-max commented Dec 14, 2023
edited
Loading

Only the first two build arguments are parsed and the rest of them remain as a single string:

This means one of the arg's value is not properly escaped and probably has a " char in its value. This is similar to how secrets parsing work: https://docs.docker.com/build/ci/github-actions/secrets/

Also I see you're passing sensitive information as build-arg (e.g. SEGMENT_WRITE_KEY=${{secrets.SEGMENT_WRITE_KEY}}) which is a bad practice as it would leak credentials in the final image. Please use build time secrets for this: https://docs.docker.com/build/ci/github-actions/secrets/. More info https://docs.docker.com/build/building/secrets/.

@dvdksn I think we should have a similar page like "Secrets" for build arguments in our GHA docs. We could show both cases where user wants to set build arg with the build-push-action and another one with bake-action. WDYT?

@crazy-max crazy-max mentioned this issue Dec 14, 2023
Closed
3 tasks
@Goldziher
Copy link
Author

Only the first two build arguments are parsed and the rest of them remain as a single string:

This means one of the arg's value is not properly escaped and probably has a " char in its value. This is similar to how secrets parsing work: https://docs.docker.com/build/ci/github-actions/secrets/

Also I see you're passing sensitive information as build-arg (e.g. SEGMENT_WRITE_KEY=${{secrets.SEGMENT_WRITE_KEY}}) which is a bad practice as it would leak credentials in the final image. Please use build time secrets for this: https://docs.docker.com/build/ci/github-actions/secrets/. More info https://docs.docker.com/build/building/secrets/.

@dvdksn I think we should have a similar page like "Secrets" for build arguments in our GHA docs. We could show both cases where user wants to set build arg with the build-push-action and another one with bake-action. WDYT?

there was a line break inside one of the values.

Yes. But this just means that the parsing is pretty brittle - its a very hard to identify issue.

Thanks for the tip about using secrets, ill certainly do this.

@crazy-max
Copy link
Member

Yes. But this just means that the parsing is pretty brittle - its a very hard to identify issue.

Agree I will take a look if we can detect these cases and warn about it.

@crazy-max
Copy link
Member

Current limitation with GitHub Actions inputs makes it hard to detect these cases but will look forward when GitHub implements objects for inputs. We might also consider using a new format such as YAML:

                  build-args: |
                      - BACKEND_URL: |
                          ${{vars.BACKEND_URL}}
                      - BUILD_TARGET: |
                          ${{env.SERVICE_NAME}}

@Goldziher
Copy link
Author

Current limitation with GitHub Actions inputs makes it hard to detect these cases but will look forward when GitHub implements objects for inputs. We might also consider using a new format such as YAML:

                  build-args: |
                      - BACKEND_URL: |
                          ${{vars.BACKEND_URL}}
                      - BUILD_TARGET: |
                          ${{env.SERVICE_NAME}}

Thanks for your prompt replies ! Very nice 👍

@bschilder bschilder mentioned this issue Mar 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crazy-max @Goldziher