Unable to mount secret to Dockerfile using docker build/push action on GitHub Actions

Question

I am trying to leverage the secrets passing functionality in a docker build-push process using the corresponding action.

Here is how I am invoking the action

     - name: build and push base runtime image
        uses: docker/build-push-action@v5
        with:
          file: path/to/Dockerfile 
          build-args: |
            USERNAME=${{ inputs.username }}
          secrets: |
            ${{ secrets.MY_PASSWORD }}

The Dockerfile

FROM ubuntu:latest

ARG USERNAME

COPY ./test-script.sh .

RUN --mount=type=secret,id=MY_PASSWORD \
  cat /run/secrets/MY_PASSWORD

RUN ./test-script.sh ${USERNAME} $(cat /run/secrets/MY_PASSWORD)

The build process fails with:

cat: /run/secrets/MY_PASSWORD: No such file or directory

Why is that?

Answer 1

There are two issues with your code:

1. you do not pass the secret correctly to the action - you'll have to use "MY_PASSWORD=${{ secrets.MY_PASSWORD }}"

2. You need to mount the secret on each RUN statement that you will try to use it.

Here are your fixed files:

the pipeline snippet

     - name: build and push base runtime image
        uses: docker/build-push-action@v5
        with:
          file: path/to/Dockerfile 
          build-args: |
            USERNAME=${{ inputs.username }}
          secrets: |
            "MY_PASSWORD=${{ secrets.MY_PASSWORD }}"

and the Dockerfile

FROM ubuntu:latest

ARG USERNAME

COPY ./test-script.sh .

RUN --mount=type=secret,id=MY_PASSWORD \
  cat /run/secrets/MY_PASSWORD

RUN --mount=type=secret,id=MY_PASSWORD \
  ./test-script.sh ${USERNAME} $(cat /run/secrets/MY_PASSWORD)