ci: secret job to check for invalid secrets
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>pull/700/head
parent
871b930e7a
commit
47c00d78bf
|
@ -302,6 +302,29 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
docker image inspect myimage:latest
|
docker image inspect myimage:latest
|
||||||
|
|
||||||
|
secret:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
-
|
||||||
|
name: Checkout
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
-
|
||||||
|
name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v2
|
||||||
|
with:
|
||||||
|
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
|
||||||
|
driver-opts: |
|
||||||
|
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
|
||||||
|
-
|
||||||
|
name: Build
|
||||||
|
uses: ./
|
||||||
|
with:
|
||||||
|
context: .
|
||||||
|
file: ./test/secret.Dockerfile
|
||||||
|
secrets: |
|
||||||
|
MYSECRET=foo
|
||||||
|
INVALID_SECRET=
|
||||||
|
|
||||||
network:
|
network:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
|
|
@ -137,8 +137,7 @@ describe('getSecret', () => {
|
||||||
}
|
}
|
||||||
expect(true).toBe(!invalid);
|
expect(true).toBe(!invalid);
|
||||||
expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
|
expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
|
||||||
const secretValue = await fs.readFileSync(tmpNameSync, 'utf-8');
|
expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
|
||||||
expect(secretValue).toEqual(exValue);
|
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
// eslint-disable-next-line jest/no-conditional-expect
|
// eslint-disable-next-line jest/no-conditional-expect
|
||||||
expect(true).toBe(invalid);
|
expect(true).toBe(invalid);
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
# syntax=docker/dockerfile:1
|
||||||
|
FROM busybox
|
||||||
|
RUN --mount=type=secret,id=MYSECRET \
|
||||||
|
echo "MYSECRET=$(cat /run/secrets/MYSECRET)"
|
Loading…
Reference in New Issue