I have a secret file secret.json
:
{
"key1": "value_1",
"key2": "value_2"
}
and a simple Dockerfile ./src/Dockerfile
:
# syntax=docker/dockerfile:1
FROM debian:stable-20230904-slim AS downloader
RUN apt update && apt install -y jq
RUN --mount=type=secret,id=secrets \
cat /run/secrets/secrets | jq -r '.key1'
When I call the GitHub action
- name: Build
uses: docker/build-push-action@v5
with:
context: './src/'
tags: foo/bar:latest
secret-files: |
"secrets=./secret.json"
I receive the following error:
parse error: Invalid numeric literal at line 2, column 7
I tried to base64 encode the json file before passing it to the action and then decode and parse it inside the Dockerfile, but the result is the same. It seems like the double quote characters disappear when the file is read from inside the Docker build and push action
[stage-0 2/2] RUN --mount=type=secret,id=secrets cat /run/secrets/secrets | sed 's/./&/g'
{
key1: value_1,
key2: value_2
}
Tried to reproduce your scenario but it worked fine.
Most probably, you're generating your secret.json
and it's not valid JSON to begin with. You need to verify this after generating it. Fixing that part should fix this too.
Here are the details of my test:
Directory structure:
repo
- docker-secrets-test
- Dockerfile
- secrets.json
secrets.json
{
"key1": "value_1",
"key2": "value_2"
}
Dockerfile
# syntax=docker/dockerfile:1
FROM debian:stable-20230904-slim
RUN apt update && apt install -y jq
RUN \
--mount=type=secret,id=secrets \
cat /run/secrets/secrets | jq -r '.key1' > secret.txt
.github/workflows/ci-docker-secrets-test.yml
name: docker_secrets_test
on: workflow_dispatch
jobs:
ci:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Build and push
uses: docker/build-push-action@v5
with:
context: ./docker-secrets-test
push: true
tags: localhost:5000/docker-secrets-test:latest
secret-files: |
"secrets=./docker-secrets-test/secrets.json"
- name: Check
run: |
docker run --rm localhost:5000/docker-secrets-test:latest cat secret.txt
Output: