Merge pull request #4592 from telefonicaid/hardening/impreove-secrets…

…-management FIX improve Docker building process
telefonicaid · Jul 4, 2024 · f0e7cc5 · f0e7cc5
2 parents 8c24790 + 6b45bcd
commit f0e7cc5
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 10 deletions.
diff --git a/.github/workflows/publishimage-master.yml b/.github/workflows/publishimage-master.yml
@@ -26,7 +26,7 @@ jobs:
         password: ${{ secrets.DOCKERHUB_TEF_TOKEN }}
 
     - name: Build Docker image
-      run: docker build -t telefonicaiot/fiware-orion:latest --build-arg GIT_REV_ORION=master --build-arg REPO_ACCESS_TOKEN=${{ secrets.REPO_ACCESS_TOKEN }} --no-cache -f docker/Dockerfile .
+      run: docker build -t telefonicaiot/fiware-orion:latest --build-arg GIT_REV_ORION=master --secret id=repo_token,env=${{ secrets.REPO_ACCESS_TOKEN }} --no-cache -f docker/Dockerfile .
 
     - name: Push Docker image
       run: docker push telefonicaiot/fiware-orion:latest
diff --git a/.github/workflows/publishimage-tag.yml b/.github/workflows/publishimage-tag.yml
@@ -30,7 +30,7 @@ jobs:
       run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
 
     - name: Build Docker image
-      run: docker build -t telefonicaiot/fiware-orion:${{ env.VERSION }} --build-arg GIT_REV_ORION=${{ env.VERSION }} --build-arg REPO_ACCESS_TOKEN=${{ secrets.REPO_ACCESS_TOKEN }} --no-cache -f docker/Dockerfile .
+      run: docker build -t telefonicaiot/fiware-orion:${{ env.VERSION }} --build-arg GIT_REV_ORION=${{ env.VERSION }} --secret id=repo_token,env=${{ secrets.REPO_ACCESS_TOKEN }} --no-cache -f docker/Dockerfile .
 
     - name: Push Docker image
       run: docker push telefonicaiot/fiware-orion:${{ env.VERSION }}
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -29,19 +29,17 @@ ARG GITHUB_REPOSITORY=fiware-orion
 ARG GIT_NAME
 ARG GIT_REV_ORION
 ARG CLEAN_DEV_TOOLS
-ARG REPO_ACCESS_TOKEN
 
 ENV ORION_USER ${ORION_USER:-orion}
 ENV GIT_NAME ${GIT_NAME:-telefonicaid}
 ENV GIT_REV_ORION ${GIT_REV_ORION:-master}
 ENV CLEAN_DEV_TOOLS ${CLEAN_DEV_TOOLS:-1}
-ENV REPO_ACCESS_TOKEN ${REPO_ACCESS_TOKEN:-""}
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /opt
 
-RUN \
+RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
     # Install security updates
     apt-get -y update && \
     apt-get -y upgrade && \
@@ -104,7 +102,7 @@ RUN \
     git clone https://github.com/${GIT_NAME}/fiware-orion && \
     cd fiware-orion && \
     git checkout ${GIT_REV_ORION} && \
-    bash get_cjexl.sh 0.3.0 ${REPO_ACCESS_TOKEN} && \
+    bash get_cjexl.sh 0.3.0 $(cat /run/secrets/repo_token) && \
     make && \
     make install && \
     # reduce size of installed binaries

diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine
@@ -32,19 +32,17 @@ ARG GITHUB_REPOSITORY=fiware-orion
 ARG GIT_NAME
 ARG GIT_REV_ORION
 ARG CLEAN_DEV_TOOLS
-ARG REPO_ACCESS_TOKEN
 
 ENV ORION_USER ${ORION_USER:-orion}
 ENV GIT_NAME ${GIT_NAME:-telefonicaid}
 ENV GIT_REV_ORION ${GIT_REV_ORION:-master}
 ENV CLEAN_DEV_TOOLS ${CLEAN_DEV_TOOLS:-1}
-ENV REPO_ACCESS_TOKEN ${REPO_ACCESS_TOKEN:-""}
 
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 
 WORKDIR /opt
 
-RUN \
+RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
     # Install dependencies
     apk add --no-cache \
       curl \
@@ -110,7 +108,7 @@ RUN \
     git clone https://github.com/${GIT_NAME}/fiware-orion && \
     cd fiware-orion && \
     git checkout ${GIT_REV_ORION} && \
-    bash get_cjexl.sh 0.3.0 ${REPO_ACCESS_TOKEN} && \
+    bash get_cjexl.sh 0.3.0 $(cat /run/secrets/repo_token) && \
     # patch bash and mktemp statement in build script, as in alpine is slightly different
     sed -i 's/mktemp \/tmp\/compileInfo.h.XXXX/mktemp/g' scripts/build/compileInfo.sh && \
     sed -i 's/bash/ash/g' scripts/build/compileInfo.sh && \