DOCKER_BUILDKIT – passing a token secret during build time from github actions

  azure-artifacts, docker, pip, python

I have a pip installable package that was published using twine to Azure DevOps artifact.

In my build image I need to download that package and install it with pip. So I need to
authenticate against azure artifacts to get it. So I am using artifacts-keyring to do so

The pip installable URL is something like this:

https://<token><org>/<project>/_packaging/<feed>/pypi/simple/ --no-cache-dir <package-name>

I am trying to use Docker BuildKit to pass the token during build time.
I am mounting the secret and using it by getting its value with cat command substitution:

# syntax = docker/dockerfile:1.2


RUN --mount=type=secret,id=azdevopstoken,dst=/run/secrets/azdevopstoken 
    pip install --upgrade pip && 
    pip install pyyaml numpy lxml artifacts-keyring && 
    echo pip install -i https://"$(cat /run/secrets/azdevopstoken)">/<project>/_packaging/feed/pypi/simple/ --no-cache-dir package-name

and it works locally from my workstation when I run:
(My src file where the token is in plain text is azdevopstoken.txt within my local directory structure project)

DOCKER_BUILDKIT=1 docker image build --secret id=azdevopstoken,src=./azdevopstoken.txt --progress plain  . -t my-image:tag

Now I am running this build command from GitHub actions pipeline
And I got this output:

Scould not parse secrets: [id=azdevopstoken,src=./azdevopstoken.txt]: failed to stat ./azdevopstoken.txt: stat ./azdevopstoken.txt: no such file or directory
Error: Process completed with exit code 1.

This is expected from me, since I am not uploading azdevopstoken.txt file, because I don’t want to have it in my repository, since there is my token in plain text.

Reading carefully here, I see there is a workaround to encrypt secrets, perhaps this could be a good solution to implement buildkit from my github actions pipeline, but I think this is an additional step in my workflow, so I am not sure whether follow this option or not.
Foremost because I already passing the secret in the old way by using the --build-arg flag during build time of this way:

RUN pip install --upgrade pip && 
    pip install pyyaml numpy lxml artifacts-keyring && 
    pip install -i https://[email protected]/ORG/PROJECT/_packaging/feed/pypi/simple/ --no-cache-dir PACKAGE-NAME

Being my docker build command from GitHub actions of this way:

docker image build --build-arg AZ_DEVOPS_TOKEN="${{ secrets.AZ_DEVOPS_TOKEN }}"  . -t

It works perfect, the thing is, I heard --build-arg is not a safe solution to pass sensitive information. Despite that I ran docker history after this command, and I couldn’t see the secret exposed or something similar.

> docker history af-fem-uploader:preview-buildarg
IMAGE          CREATED          CREATED BY                                      SIZE      COMMENT
2eff105408c9   34 seconds ago   RUN /bin/sh -c pip install pytest && pytest …   5MB       buildkit.dockerfile.v0
<missing>      38 seconds ago   WORKDIR /home/site/wwwroot/HttpUploadTrigger/   0B        buildkit.dockerfile.v0
<missing>      38 seconds ago   ADD . /home/site/wwwroot # buildkit             1.9MB     buildkit.dockerfile.v0

So what is the benefit to pass the secrets via BUILDKIT in order to don’t expose them if I have to upload the file which contains the secret to my repository?

Perhaps I am missing something.

Source: Docker Questions