Merge pull request #37 from seek-oss/verbatim-secret-flag

Support verbatim secret flag values
seek-oss · Jul 7, 2021 · 058047e · 058047e
2 parents 9e01f43 + 51e8349
commit 058047e
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -212,9 +212,25 @@ steps:
       - docker#v3.8.0
 ```
 
-You must have a recent version of Docker with BuildKit enabled to use secrets.
-BuildKit will be enabled automatically if any secrets are present in the
-configuration.
+You can also specify the full `--secret` flag value if you need more control:
+
+```yaml
+steps:
+  - command: echo amaze
+    env:
+      SECRET: wow
+    plugins:
+      - seek-oss/private-npm#v1.2.0:
+          env: SECRET
+      - seek-oss/docker-ecr-cache#v1.10.0:
+          secrets:
+            - id=npmrc,src=.npmrc
+      - docker#v3.8.0
+```
+
+You must have a recent version of Docker with BuildKit support to use secrets.
+This plugin will automatically enable BuildKit via the `DOCKER_BUILDKIT`
+environment variable if any secrets are present in the configuration.
 
 ### Changing the max cache time
 

diff --git a/hooks/lib/stdlib.bash b/hooks/lib/stdlib.bash
@@ -24,10 +24,22 @@ read_secrets() {
   read_list_property 'SECRETS'
   for arg in ${result[@]+"${result[@]}"}; do
     secrets_args+=("--secret")
-    secrets_args+=("id=${arg},env=${arg}")
+    if [[ "${arg}" =~ ^id= ]]; then
+      # Assume this is a full argument like id=123,src=path/to/file
+      secrets_args+=("${arg}")
+    else
+      # Assume this is environment variable shorthand like SECRET_ENV
+      secrets_args+=("id=${arg},env=${arg}")
+    fi
   done
 }
 
+read_secrets_with_output() {
+  read_secrets
+
+  echo "${secrets_args[@]}"
+}
+
 # read a plugin property of type [array, string] into a Bash array. Buildkite
 # exposes a string value at BUILDKITE_PLUGIN_{NAME}_{KEY}, and array values at
 # BUILDKITE_PLUGIN_{NAME}_{KEY}_{IDX}.

diff --git a/tests/stdlib.bats b/tests/stdlib.bats
@@ -19,6 +19,17 @@ pre_command_hook="$PWD/hooks/pre-command"
   # coverage happens via later tests of compute_tag.
 }
 
+@test "Can read secrets from array" {
+  export BUILDKITE_PLUGIN_DOCKER_ECR_CACHE_SECRETS_1="FOO"
+  export BUILDKITE_PLUGIN_DOCKER_ECR_CACHE_SECRETS_2="id=1,env=BAR"
+  export BUILDKITE_PLUGIN_DOCKER_ECR_CACHE_SECRETS_3="id=2,src=path/to/secret.txt"
+
+  run read_secrets_with_output
+
+  assert_success
+  assert_output "--secret id=FOO,env=FOO --secret id=1,env=BAR --secret id=2,src=path/to/secret.txt"
+}
+
 @test "Can get default image name" {
   export BUILDKITE_ORGANIZATION_SLUG="example-org"
   export BUILDKITE_PIPELINE_SLUG="example-pipeline"