diff --git a/Hackney.Shared.Tenure.Tests/Dockerfile b/Hackney.Shared.Tenure.Tests/Dockerfile index b26f567..8ebebab 100644 --- a/Hackney.Shared.Tenure.Tests/Dockerfile +++ b/Hackney.Shared.Tenure.Tests/Dockerfile @@ -3,8 +3,6 @@ FROM mcr.microsoft.com/dotnet/sdk:6.0 # disable microsoft telematry ENV DOTNET_CLI_TELEMETRY_OPTOUT='true' -ARG LBHPACKAGESTOKEN -ENV LBHPACKAGESTOKEN=$LBHPACKAGESTOKEN WORKDIR /app # Copy csproj and restore as distinct layers @@ -13,8 +11,16 @@ COPY ./Hackney.Shared.Tenure/Hackney.Shared.Tenure.csproj ./Hackney.Shared.Tenur COPY ./Hackney.Shared.Tenure.Tests/Hackney.Shared.Tenure.Tests.csproj ./Hackney.Shared.Tenure.Tests/ COPY /nuget.config /root/.nuget/NuGet/NuGet.Config -RUN dotnet restore ./Hackney.Shared.Tenure/Hackney.Shared.Tenure.csproj -RUN dotnet restore ./Hackney.Shared.Tenure.Tests/Hackney.Shared.Tenure.Tests.csproj +# We mount secrets so they can't end up in logs or build layers. +# We chain both restore commands so we only make the token available +# once and don't store it elsewhere. +# see: +# - https://docs.docker.com/reference/dockerfile/#arg +# - https://docs.docker.com/compose/how-tos/use-secrets/ +RUN --mount=type=secret,id=LBHPACKAGESTOKEN \ + export LBHPACKAGESTOKEN=$(cat /run/secrets/LBHPACKAGESTOKEN) && \ + dotnet restore ./Hackney.Shared.Tenure/Hackney.Shared.Tenure.csproj && \ + dotnet restore ./Hackney.Shared.Tenure.Tests/Hackney.Shared.Tenure.Tests.csproj # Copy everything else and build COPY . . diff --git a/docker-compose.yml b/docker-compose.yml index cf4f4e8..909791e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,5 +6,12 @@ services: build: context: . dockerfile: Hackney.Shared.Tenure.Tests/Dockerfile - args: - - LBHPACKAGESTOKEN=${LBHPACKAGESTOKEN} + secrets: + - LBHPACKAGESTOKEN + +# see https://docs.docker.com/compose/how-tos/use-secrets/#build-secrets +# Combines with a "secrets" block in each service to expose it as a file in +# /run/secrets/, e.g. /run/secrets/LBHPACKAGESTOKEN +secrets: + LBHPACKAGESTOKEN: + environment: LBHPACKAGESTOKEN