ci: secret job to check for invalid secrets

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-10-09 17:39:54 +02:00 · 2022-10-09 17:39:54 +02:00 · 47c00d78bf
commit 47c00d78bf
parent 871b930e7a
3 changed files with 28 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -302,6 +302,29 @@ jobs:
        run: |
          docker image inspect myimage:latest

+  secret:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secrets: |
+            MYSECRET=foo
+            INVALID_SECRET=
+
  network:
    runs-on: ubuntu-latest
    steps:
--- a/tests/buildx.test.ts
+++ b/tests/buildx.test.ts
@ -137,8 +137,7 @@ describe('getSecret', () => {
      }
      expect(true).toBe(!invalid);
      expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
-      const secretValue = await fs.readFileSync(tmpNameSync, 'utf-8');
-      expect(secretValue).toEqual(exValue);
+      expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
    } catch (err) {
      // eslint-disable-next-line jest/no-conditional-expect
      expect(true).toBe(invalid);
--- a/test/secret.Dockerfile
+++ b/test/secret.Dockerfile
@ -0,0 +1,4 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN --mount=type=secret,id=MYSECRET \
+  echo "MYSECRET=$(cat /run/secrets/MYSECRET)"