ci: secret job to check for invalid secrets

crazy-max · crazy-max · commit 47c00d78bfb0 · 2022-10-09T17:42:47.000+02:00
Signed-off-by: CrazyMax &lt;crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -302,6 +302,29 @@ jobs:
         run: |
           docker image inspect myimage:latest
 
+  secret:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secrets: |
+            MYSECRET=foo
+            INVALID_SECRET=
+
   network:
     runs-on: ubuntu-latest
     steps:
diff --git a/__tests__/buildx.test.ts b/__tests__/buildx.test.ts
@@ -137,8 +137,7 @@ describe('getSecret', () => {
       }
       expect(true).toBe(!invalid);
       expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
-      const secretValue = await fs.readFileSync(tmpNameSync, 'utf-8');
-      expect(secretValue).toEqual(exValue);
+      expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
     } catch (err) {
       // eslint-disable-next-line jest/no-conditional-expect
       expect(true).toBe(invalid);
diff --git a/test/secret.Dockerfile b/test/secret.Dockerfile
@@ -0,0 +1,4 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN --mount=type=secret,id=MYSECRET \
+  echo "MYSECRET=$(cat /run/secrets/MYSECRET)"
