Enable docker secrets in the builder as a more secure alternative to build args.

README.md

@@ -146,9 +146,33 @@ builder:
   multiarch: false
 ```
 
+### Configuring build secrets for new images
+
+Some images might need an secret passed in during build time, like a GITHUB_TOKEN to give access to private gem repositories, but you don't want it exposed in the resulting image. This can be done like so:
+
+```yaml
+builder:
+  secrets:
+    - GITHUB_TOKEN
+```
+
+This build secret can then be used in the Dockerfile:
+
+```
+# Install application gems
+COPY Gemfile Gemfile.lock ./
+
+# Private repositories need an access token during the build
+RUN --mount=type=secret,id=GITHUB_TOKEN \
+  BUNDLE_GITHUB__COM=x-access-token:$(cat /run/secrets/GITHUB_TOKEN) \
+  bundle install
+```
+
+> Note: This only supports simple secret configurations, and not the full gamut of options presented by the [buildx command --secret option](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret).
+
 ### Configuring build args for new images
 
-Some images might need an argument passed in during build time, like a GITHUB_TOKEN to give access to private gem repositories. This can be done like so:
+Some images might need an argument passed in during build time, like a GITHUB_TOKEN to give access to private gem repositories. This is less secure than a docker secret, but works on older versions of docker. This will also expose your value in the final image. This can be done like so:
 
 ```yaml
 builder:

lib/mrsk/commands/builder/base.rb

@@ -2,6 +2,7 @@ require "mrsk/commands/base"
 
 class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
   delegate :argumentize, to: Mrsk::Configuration
+  delegate :simple_secretize, to: Mrsk::Configuration
 
   def pull
     docker :pull, config.absolute_image
@@ -11,8 +12,16 @@ class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
     argumentize "--build-arg", args, redacted: true
   end
 
+  def build_secrets
+    simple_secretize "--secret", secrets, redacted: true
+  end
+
   private
     def args
       config.builder["args"] || {}
     end
+
+    def secrets
+      config.builder["secrets"] || {}
+    end
 end

lib/mrsk/configuration.rb

@@ -22,6 +22,10 @@ class Mrsk::Configuration
       attributes.flat_map { |k, v| [ argument, redacted ? Mrsk::Utils.redact("#{k}=#{v}") : "#{k}=#{v}" ] }
     end
 
+    def simple_secretize(secret, attributes, redacted: false)
+      attributes.flat_map { |k, v| [ secret, redacted ? Mrsk::Utils.redact("id=#{k}") : "id=#{k}" ] }
+    end
+
     private
       def load_config_file(file)
         if file.exist?

test/commands/builder_test.rb

@@ -27,6 +27,11 @@ class CommandsBuilderTest < ActiveSupport::TestCase
     assert_equal [ "--build-arg", "a=1", "--build-arg", "b=2" ], builder.target.build_args
   end
 
+  test "build secrets" do
+    builder = Mrsk::Commands::Builder.new(Mrsk::Configuration.new(@config.merge({ builder: { "secrets" => ["token_a", "token_b"] } })))
+    assert_equal [ "--secret", "id=token_a", "--secret", "id=token_b" ], builder.target.build_secrets
+  end
+
   test "native push with build args" do
     builder = Mrsk::Commands::Builder.new(Mrsk::Configuration.new(@config.merge({ builder: { "multiarch" => false, "args" => { "a" => 1, "b" => 2 } } })))
     assert_equal [ :docker, :build, "-t", "--build-arg", "a=1", "--build-arg", "b=2", "dhh/app:123", ".", "&&", :docker, :push, "dhh/app:123" ], builder.push