Custom secrets in plugins/erc

Hey !

I beforehand appreciate any help I might receive.

I’m trying to use plugins/ecr to build+push a docker container that runs a node.js application.
I need to load a secret that is used as a “build-arg” in docker build (an npm_token)

Here’s my pipeline:
\ ecr:
\ \ image: plugins/ecr
\ \ access_key: <access_key>
\ \ repo: <registry>/<repo>
\ \ registry: <registry>
\ \ dockerfile: <path_to_dockerfile>
\ \ tags: latest
\ \ context: <path_to_context>
\ \ build_args:
\ \ secrets: [ ecr_secret_key, npm_token ]

A secret “npm_token” exists. Yet, the ecr doesn’t seem to allow more than the 3 default secrets that are documented.
How do we pass custom build arguments to this plugin in particular, being them secret (and therefore I want to exclude from source version control ?

The reason this does not work is that the following syntax is not valid


The list of build arguments is a Go string array. It is not a bash string and is not passed through a bash interpreter, which means it will not expand bash variables.

Instead you can do the following:

  secrets: [ ecr_secret_key, npm_token ]
+ build_args_from_env: [ NPM_TOKEN ]
- build_args

This field instructs the plugin to pass specific environment variables to your plugin as build arguments. Note that secrets are passed to the plugin as environment variables. Note that environment variable names are uppercase, so parameters defined in build_args_from_env should be uppercase.

As an aside, in general we would recommend against the above approach. Instead we would recommend that you build, test and bundle your code and THEN build and publish your docker image. So your yaml would look something like this:

    image: node
      - npm install
      - npm test
      - npm run build
    image: plugins/docker

and in your Dockerfile you would add your bundled app:

FROM node
ADD build/* /usr/src/app