Support secrets for building the cached image #36
Conversation
| plugins: | ||
| - seek-oss/docker-ecr-cache#v1.9.0: | ||
| secrets: | ||
| - SECRET |
There was a problem hiding this comment.
I'd like us to land on a configuration approach that supports both env= and also src=. I think the latter will become the preferred option for npm auth when paired with https://github.com/seek-oss/private-npm-buildkite-plugin.
There was a problem hiding this comment.
How do you imagine src= secrets will be passed between plugins? I've decided not to implement SECRET=value for simplicity and because it might be visible in the pipeline. Separate PR?
There was a problem hiding this comment.
I may be misunderstanding, but in the case of private-npm-buildkite-plugin you should be able to control the file output path from that plugin and pipe that through as the input path src= here.
We don't have to land src= support in this PR, but I want to avoid ending up with strange options like secrets for env and secrets-src for src. What do you think about passing the flag values through verbatim:
secrets:
- id=1,env=SECRET
- id=2,src=path/to/secret.txtAlternatively we could try to retain the cleverness that your PR has currently, but I'm not sure it's worth the extra parsing complexity:
secrets:
- env: SECRET
- src: path/to/secret.txt
secrets:
id1:
env: SECRET
id2:
src: path/to/secret.txt There was a problem hiding this comment.
= cannot occur in environment variable names, so this is forward compatible:
secrets:
- FOO
- id=bar,env=BAR
- id=baz,src=path/to/baz.txt
No description provided.