Bake secrets into docker image.

.github/workflows/ci.yml

@@ -97,13 +97,23 @@ jobs:
         with:
           project_id: infrastructure-220307
 
+      - name: Create secrets
+        run: |
+          printf "%s" "${{ secrets.TOITWARE_REGISTRY_SSH_DEPLOY_KEY }}" > private_ssh_key
+          ssh-keyscan github.com > known_hosts
+
       - name: Build Docker Image
         run: |
           gcloud config set project infrastructure-220307
           gcloud auth configure-docker
 
           make image
 
+      - name: Delete secrets
+        if: always()
+        run: |
+          rm -f private_ssh_key
+
       - name: Upload image
         if: |
           github.event_name == 'release' ||

Dockerfile

@@ -34,4 +34,18 @@ ENV TOITDOCS_VIEWER_PATH /web_toitdocs
 ENV SDK_PATH /sdk
 ENV TOITDOCS_VIEWER_PATH /web_toitdocs
 
+# We are baking in private data.
+# As of 2022-07-08 the deployment overrides these values:
+# https://github.com/toitware/deployment/blob/50d35c2498cb98f360c922a491c2c31e73cc403d/console/values.yaml#L437
+# However, by adding the key here, we can remove these lines from there.
+
+# When building locally, one can either get the real key from bitwarden, or use any key.
+# It should only be necessary when pushing to the registry. (Not 100% certain.)
+copy private_ssh_key /ssh_data/private_ssh_key
+ENV REGISTRY_SSH_KEY_FILE /ssh_data/private_ssh_key
+
+# Same: we are baking in the known_hosts, which is, as of 2022-07-08, overridden by the deployment.
+copy known_hosts /ssh_data/known_hosts
+ENV SSH_KNOWN_HOSTS /ssh_data/known_hosts
+
 ENTRYPOINT ["/registry_container"]