enable docker secrets (#28)

README.md

@@ -31,7 +31,10 @@ builds:
     image: mergermarket/cdflow2-build-docker-ecr
     params:
       dockerfile: Dockerfile
-      context: .
+      context: = .
+      secrets:
+        - "id=npmrc,src=.npmrc"
+        - "id=ssh,src=/root/.ssh/id_rsa.pub"
 terraform:
   image: hashicorp/terraform
 ```
@@ -77,7 +80,7 @@ Import docker layer cache from specific source.
 Currently only "gha" supported.  
 For supported options check: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from.  
 If buildx not enabled, parameter ignored.  
-Defaults to empty string.  
+Defaults to empty string.
 
 ```yaml
   buildx:
@@ -89,6 +92,31 @@ Defaults to empty string.
       cache-to: type=gha,mode=max
 ```
 
+#### secrets
+
+Allow passing secrets to the docker build.
+Secrets are passed as a list of strings.
+Each string should be in the format
+`id=<secret_id>,src=<secret_src>`
+
+`<secret_id>` is the name of the secret that will be used in
+the docker build context.
+
+`<secret_src>` is the path to the secret file on the host machine.
+
+limitation: It is only possible to pass src files, env is not available for cdflow2-build-docker-ecr plugin, as it runs in a separate container.
+
+```yaml
+  buildx:
+    image: mergermarket/cdflow2-build-docker-ecr:latest
+    params:
+      dockerfile: Dockerfile
+      context: = .
+      secrets:
+        - "id=npmrc,src=.npmrc"
+        - "id=ssh,src=/root/.ssh/id_rsa.pub"
+```
+
 #### cache-to
 
 Export docker layer to specific destination.  

internal/app/app.go

@@ -29,6 +29,7 @@ type config struct {
 	platforms  string
 	cacheFrom  string
 	cacheTo    string
+	secrets    []string
 }
 
 // Run runs the build process.
@@ -71,8 +72,13 @@ func Run(ecrClient ecriface.ECRAPI, runner CommandRunner, params map[string]inte
 }
 
 func build(config *config, image string, runner CommandRunner) {
-	fmt.Fprintf(os.Stderr, "$ docker build -f %s -t %s %s\n\n", config.dockerfile, image, config.context)
-	runner.Run("docker", "build", "-f", config.dockerfile, "-t", image, config.context)
+	buildArgs := []string{"build", "-f", config.dockerfile, "-t", image}
+	for _, secret := range config.secrets {
+		buildArgs = append(buildArgs, "--secret", secret)
+	}
+	buildArgs = append(buildArgs, config.context)
+	fmt.Fprintf(os.Stderr, "$ docker %s\n\n", strings.Join(buildArgs, " "))
+	runner.Run("docker", buildArgs...)
 
 	fmt.Fprintf(os.Stderr, "\n- Pushing docker image...\n\n")
 	fmt.Fprintf(os.Stderr, "$ docker push %s\n\n", image)
@@ -107,6 +113,9 @@ func buildWithBuildx(config *config, image string, runner CommandRunner) error {
 	if config.cacheTo != "" {
 		buildArgs = append(buildArgs, "--cache-to", config.cacheTo)
 	}
+	for _, secret := range config.secrets {
+		buildArgs = append(buildArgs, "--secret", secret)
+	}
 
 	buildArgs = append(buildArgs, "-f", config.dockerfile, "-t", image, config.context)
 
@@ -194,6 +203,15 @@ func getConfig(buildID string, params map[string]interface{}) (*config, error) {
 			return nil, fmt.Errorf("unexpected type for build.%v.params.cache-to: %T (should be string)", buildID, cacheToI)
 		}
 	}
+	secrets, ok := params["secrets"]
+	if ok {
+		for _, secret := range secrets.([]interface{}) {
+			result.secrets = append(result.secrets, secret.(string))
+		}
+		if !ok {
+			return nil, fmt.Errorf("unexpected type for build.%v.params.secrets: %T (should be []string)", buildID, secrets)
+		}
+	}
 
 	return &result, nil
 }