Skip to content

Add support for build secrets#1300

Open
percontation wants to merge 2 commits intoapple:mainfrom
percontation:secrets
Open

Add support for build secrets#1300
percontation wants to merge 2 commits intoapple:mainfrom
percontation:secrets

Conversation

@percontation
Copy link

@percontation percontation commented Mar 7, 2026
edited
Loading

docker-compatible --secret id=key,... arg for container build, that works with Dockerfiles with RUN --mount=type=secret

Requires apple/container-builder-shim#69

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Motivation and Context

Adds support for Dockerfiles that use build secrets (e.g. RUN --mount=type=secret ...)

Testing

  • Tested locally
  • Added/updated tests
  • Added/updated docs

@percontation
Add support for build secrets
933e77c 
docker-compatible container build --secret id=aws,...
for RUN --mount=type=secret
@percontation
Copy link
Author

percontation commented Mar 7, 2026
edited
Loading

I haven't done much Swift before, so watch out for any stupid mistakes I may have made.

One design caveat: I passed secrets by copying the build-args code, because they're functionally the same. But, systems are supposed to take care that the secret values aren't logged or stored anywhere, so HTTP headers are a much riskier way to send them than transporting them separately in a new BuildTransfer. I nevertheless used the headers to send the secrets because 1. it seemed easier 2. I didn't notice anything that would log or record these headers 3. it looked like the headers and BuildTransfers alike are just data sent through gRPC, so, not much practical difference right now.

JaewonHur
JaewonHur reviewed Mar 13, 2026
View reviewed changes
Sources/ContainerCommands/BuildCommand.swift Outdated
let data: Data
if parts.count == 1 || parts[1].hasPrefix("env=") {
let env = parts.count == 1 ? key : String(parts[1].dropFirst(4))
guard let ptr = getenv(env) else {
Copy link
Contributor

@JaewonHur JaewonHur Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit comment.
We can avoid using unsafe pointer and strlen by

guard let value = ProcessInfo.processInfo.environmentenv] else {
    throw ContainerizationError(.invalidArgument, message: "secret env var doesn't exist \(env)")
}
data = Data(value.utf8)

Copy link
Author

@percontation percontation Mar 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find documentation on how ProcessInfo.processInfo.environment would behave on environment variables containing non-UTF8 data, so I went with C getenv. Is there a better Swift way of getting env vars as Data without going through UTF8?

Alternatively, just using ProcessInfo.processInfo.environment and accepting whatever limitations that places on non-UTF8 env var values could just be fine, given that env vars needing to be \x00-free already makes it iffy to use env vars on non-text data secrets. Would this be preferred here?

Sources/ContainerCommands/BuildCommand.swift Outdated
}

var secretsData: [String: Data] = [:]
for secret in self.secret {
Copy link
Contributor

@JaewonHur JaewonHur Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we move this part under validate function? #1273 as an example.

Copy link
Author

@percontation percontation Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved it. Let me know if I did what you were expecting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JaewonHur JaewonHur JaewonHur left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@percontation @JaewonHur