A build secret is sensitive information, such as a password or API token, consumed as part of the build process. Docker Build supports two forms of secrets:
- Secret mounts add secrets as files in the build container
(under
/run/secretsby default). - SSH mounts add SSH agent sockets or keys into the build container.
This page shows how to use secrets with GitHub Actions. For an introduction to secrets in general, see Build secrets.
Secret mounts
In the following example uses and exposes the GITHUB_TOKEN secret
as provided by GitHub in your workflow.
First, create a Dockerfile that uses the secret:
In this example, the secret name is github_token. The following workflow
exposes this secret using the secrets input:
NoteYou can also expose a secret file to the build with the
secret-filesinput:
If you're using GitHub secrets and need to handle multi-line value, you will need to place the key-value pair between quotes:
| Key | Value |
|---|---|
MYSECRET | *********************** |
GIT_AUTH_TOKEN | abcdefghi,jklmno=0123456789 |
MYSECRET | aaaaaaaa\nbbbbbbb\nccccccccc |
FOO | bar |
EMPTYLINE | aaaa\n\nbbbb\nccc |
JSON_SECRET | {"key1":"value1","key2":"value2"} |
NoteDouble escapes are needed for quote signs.
SSH mounts
SSH mounts let you authenticate with SSH servers.
For example to perform a git clone,
or to fetch application packages from a private repository.
The following Dockerfile example uses an SSH mount to fetch Go modules from a private GitHub repository.
To build this Dockerfile, you must specify an SSH mount that the builder can
use in the steps with --mount=type=ssh.
The following GitHub Action workflow uses the MrSquaare/ssh-setup-action
third-party action to bootstrap SSH setup on the GitHub runner. The action
creates a private key defined by the GitHub Action secret SSH_GITHUB_PPK and
adds it to the SSH agent socket file at SSH_AUTH_SOCK. The SSH mount in the
build step assume SSH_AUTH_SOCK by default, so there's no need to specify the
ID or path for the SSH agent socket explicitly.
