don't pass secret as arg

mlcommons · Aug 30, 2024 · b709e3e · b709e3e
1 parent d987d95
commit b709e3e
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -41,5 +41,5 @@ jobs:
           platforms: |
             linux/arm64/v8
             linux/amd64
-          build-args: |
+          secrets: |
             GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
@@ -21,8 +21,11 @@ ENV PIP_DEFAULT_TIMEOUT=100 \
 RUN pip install "poetry==$POETRY_VERSION"
 RUN python -m venv /venv
 
-ARG GITHUB_TOKEN
-RUN git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
+RUN --mount=type=secret,id=github_token \
+    git config --global url."https://$(cat /run/secrets/github_token)@github.com/".insteadOf "https://github.com/"
+
+# ARG GITHUB_TOKEN
+# RUN git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
 
 # Copy Poetry files and install dependencies
 COPY pyproject.toml poetry.lock ./
@@ -37,10 +40,10 @@ FROM base AS final
 WORKDIR /app
 
 
-# Pass the GITHUB_TOKEN to the final stage
-ARG GITHUB_TOKEN
-ENV GITHUB_TOKEN=${GITHUB_TOKEN}
-RUN git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
+# # Pass the GITHUB_TOKEN to the final stage
+# ARG GITHUB_TOKEN
+# ENV GITHUB_TOKEN=${GITHUB_TOKEN}
+# RUN git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
 
 # Copy the virtual environment and built package
 COPY --from=builder /venv /venv