Fix: Remove UTF-8 encoding to prevent mangling of binary secrets#599
Fix: Remove UTF-8 encoding to prevent mangling of binary secrets#599crazy-max merged 1 commit intodocker:mainfrom
Conversation
matthiasfehr
force-pushed
the
binary-secret-files
branch
from
3d670fa to
ed85272
Compare
I was looking at the initial implementation and it was added in https://github.com/docker/build-push-action/pull/296/files#diff-f73f5f656aeb1aac9f0e62af243004b96603175d3d897231961ab4245d7a5a50R41 I think your change is fine but I just wonder what's your use case to have a bin formatted secret to use in your Dockerfile. Do you mind to share? Also I think instead of doing both public static resolveSecret(kvp: string, file: boolean): [string, string] {
const [key, value] = Build.parseSecretKvp(kvp);
const secretFile = Context.tmpName({tmpdir: Context.tmpDir()});
if (file) {
if (!fs.existsSync(value)) {
throw new Error(`secret file ${value} not found`);
}
fs.copyFileSync(value, secretFile);
} else {
fs.writeFileSync(secretFile, value);
}
return [key, secretFile];
} |
|
I have a docker build stage in my Dockerfile where I sign the built executable, and for this I need to pass in a p12 certificate file. This works when directly passed as secret argument to docker but not with this action. I have updated the PR to use directly the |
crazy-max
left a comment
crazy-max
left a comment
There was a problem hiding this comment.
Can you squash your commits? Otherwise LGTM thanks!
Signed-off-by: Matthias Fehr <matthias@monostream.com>
matthiasfehr
force-pushed
the
binary-secret-files
branch
from
9de7219 to
9692462
Compare
2 participants
This PR removes the explicit
encoding: 'utf-8'from the secret resolution code to ensure binary files are not corrupted. Previously, reading and writing secrets as UTF-8 caused issues when the secret was a binary file. By switching to raw buffers, the code now correctly supports both binary and text-based secrets without any unintended transformations.encoding: 'utf-8'fromfs.readFileSync.