I have the following pipeline:
kind : pipeline
name: default
steps:
- name: docker build
build:
context: .
image: hiho
build_args:
- ENV_VAR=$SOME_VALUE_ADDED_TO_DRONE_SECRETS
but the build_arg is not being used during the docker build. What is the proper syntax for this?
The build directive is experimental and passing secrets to the build_args parameter is not supported at this time.
Good to know. Related issue - I’ve also tried - ENV_VAR=hardcoded-secret-value and that did not work within drone exec
Instead of build_args you should use args (example below) but keep in mind the build directive is an undocumented and experimental feature and could be removed if we cannot solve some remaining design challenges. We also lack a subprocess to prune old build layers, which means your servers could fill up when using this feature. The recommend way to build and publish an image is the docker plugin which you can find here.
If you have any other questions let me know!
---
kind: pipeline
name: default
platform:
os: linux
arch: amd64
steps:
- name: test_build
build:
image: octocat/hello-world
args:
baz: boo
foo: bar
cache_from:
- alpine
- golang
context: .
labels:
qux: qoo
...
PS sorry if my post about this feature comes off as negative, I just wanted to make sure I was up front about its current status. I certainly hope we can work through some of the known issues and fully support this feature and syntax going forward 
I appreciate the help! Do you know if there is a generic way for a drone.yml configuration to use a secret anywhere else in the yml?
My problem is this: I have a ruby project that uses a gem pulled from github, so I need to pass in a secret key as a build_arg to download it. I’ve checked the documentation for ECR plugin (we don’t use Dockerhub), but don’t see an explicit parameter for something like this, so my next thought is I would just use their build_args property but pass in a secret that I retrieve from Drone. Not sure if this is doable or if I’ll need to create my own plugin to do something like this.
I have provided a couple of options below. Note that this is not the full syntax for using the ecr plugins, but should hopefully give you enough information to get started.
Option 1
One option is to source the build_args value from a secret. The build_args are passed to the plugin as a comma-separated list which you can emulate.
kind: pipeline
name: default
steps:
- name: publish
image: plugins/ecr
settings:
build_args:
from_secret: my_secret
where
my_secret=key1=value1,key2=value2
Option 2
Or alternatively the plugin allows you to source build_args from the environment. So in this case, you source environment variables from secrets, and pass those environment variables as build args.
kind: pipeline
name: default
steps:
- name: publish
image: plugins/ecr
environment:
USERNAME:
from_secret: secret1
PASSWORD:
from_secret: secret2
settings:
build_args_from_env:
- USERNAME
- PASSWORD
Apologies for all the questions. That solves my issue of building and pushing the image to ECR (hooray) but ideally I would test it before I pushed it. Given that the build directive is experimental (meaning I wouldn’t want to rely on it), what’s the next best alternative to building an image from a Dockerfile and using that on subsequent steps, while still being allowed to pass in the secret as a build argument?
I’ve tried not building an image and just putting the few lines from my Dockerfile as commands but
environment:
SECRET_VALUE:
from_secret: SECRET_VALUE
commands:
- gem install bundler
- bundle install
- SECRET_VALUE=${SECRET_VALUE} bundle exec rubocop