Skip to content

Commit

Permalink
[GHA] Rework how secrets are used inside Dockerfiles.
Browse files Browse the repository at this point in the history
  • Loading branch information
s3rj1k committed Jun 22, 2024
1 parent 40a33e7 commit 453b18d
Show file tree
Hide file tree
Showing 9 changed files with 171 additions and 108 deletions.
31 changes: 19 additions & 12 deletions .github/docker/debian/bookworm/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD
deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main
EOF

RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > ~/.netrc && \
printf "login ${REPO_USERNAME} " >> ~/.netrc && \
printf "password " >> ~/.netrc && \
cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \
cp -f ~/.netrc /etc/apt/auth.conf

RUN git config --global --add safe.directory '*' \
&& git config --global user.name "${MAINTAINER_NAME}" \
&& git config --global user.email "${MAINTAINER_EMAIL}"

RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg

# Bootstrap and Build
COPY . ${DATA_DIR}
WORKDIR ${DATA_DIR}
Expand All @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a
RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x
RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME}

RUN apt-get -q update && \
mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \
apt-get -y -f install
RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \
printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \
printf "password " >> /etc/apt/auth.conf && \
cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \
curl \
--fail \
--netrc-file /etc/apt/auth.conf \
--output ${GPG_KEY} \
--silent \
https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \
file ${GPG_KEY} && \
apt-get --quiet update && \
mk-build-deps \
--install \
--remove debian/control \
--tool "apt-get --yes --no-install-recommends" && \
apt-get --yes --fix-broken install && \
rm -f /etc/apt/auth.conf

ENV DEB_BUILD_OPTIONS="parallel=1"
RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \
Expand Down
31 changes: 19 additions & 12 deletions .github/docker/debian/bookworm/arm32v7/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODE
deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODENAME} main
EOF

RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > ~/.netrc && \
printf "login ${REPO_USERNAME} " >> ~/.netrc && \
printf "password " >> ~/.netrc && \
cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \
cp -f ~/.netrc /etc/apt/auth.conf

RUN git config --global --add safe.directory '*' \
&& git config --global user.name "${MAINTAINER_NAME}" \
&& git config --global user.email "${MAINTAINER_EMAIL}"

RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg

# Bootstrap and Build
COPY . ${DATA_DIR}
WORKDIR ${DATA_DIR}
Expand All @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a
RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x
RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME}

RUN apt-get -q update && \
mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \
apt-get -y -f install
RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \
printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \
printf "password " >> /etc/apt/auth.conf && \
cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \
curl \
--fail \
--netrc-file /etc/apt/auth.conf \
--output ${GPG_KEY} \
--silent \
https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \
file ${GPG_KEY} && \
apt-get --quiet update && \
mk-build-deps \
--install \
--remove debian/control \
--tool "apt-get --yes --no-install-recommends" && \
apt-get --yes --fix-broken install && \
rm -f /etc/apt/auth.conf

ENV DEB_BUILD_OPTIONS="parallel=1"
RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \
Expand Down
31 changes: 19 additions & 12 deletions .github/docker/debian/bookworm/arm64v8/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD
deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main
EOF

RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > ~/.netrc && \
printf "login ${REPO_USERNAME} " >> ~/.netrc && \
printf "password " >> ~/.netrc && \
cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \
cp -f ~/.netrc /etc/apt/auth.conf

RUN git config --global --add safe.directory '*' \
&& git config --global user.name "${MAINTAINER_NAME}" \
&& git config --global user.email "${MAINTAINER_EMAIL}"

RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg

# Bootstrap and Build
COPY . ${DATA_DIR}
WORKDIR ${DATA_DIR}
Expand All @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a
RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x
RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME}

RUN apt-get -q update && \
mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \
apt-get -y -f install
RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \
printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \
printf "password " >> /etc/apt/auth.conf && \
cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \
curl \
--fail \
--netrc-file /etc/apt/auth.conf \
--output ${GPG_KEY} \
--silent \
https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \
file ${GPG_KEY} && \
apt-get --quiet update && \
mk-build-deps \
--install \
--remove debian/control \
--tool "apt-get --yes --no-install-recommends" && \
apt-get --yes --fix-broken install && \
rm -f /etc/apt/auth.conf

ENV DEB_BUILD_OPTIONS="parallel=1"
RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \
Expand Down
31 changes: 19 additions & 12 deletions .github/docker/debian/bullseye/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD
deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main
EOF

RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > ~/.netrc && \
printf "login ${REPO_USERNAME} " >> ~/.netrc && \
printf "password " >> ~/.netrc && \
cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \
cp -f ~/.netrc /etc/apt/auth.conf

RUN git config --global --add safe.directory '*' \
&& git config --global user.name "${MAINTAINER_NAME}" \
&& git config --global user.email "${MAINTAINER_EMAIL}"

RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg

# Bootstrap and Build
COPY . ${DATA_DIR}
WORKDIR ${DATA_DIR}
Expand All @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a
RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x
RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME}

RUN apt-get -q update && \
mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \
apt-get -y -f install
RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \
printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \
printf "password " >> /etc/apt/auth.conf && \
cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \
curl \
--fail \
--netrc-file /etc/apt/auth.conf \
--output ${GPG_KEY} \
--silent \
https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \
file ${GPG_KEY} && \
apt-get --quiet update && \
mk-build-deps \
--install \
--remove debian/control \
--tool "apt-get --yes --no-install-recommends" && \
apt-get --yes --fix-broken install && \
rm -f /etc/apt/auth.conf

ENV DEB_BUILD_OPTIONS="parallel=1"
RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \
Expand Down
31 changes: 19 additions & 12 deletions .github/docker/debian/bullseye/arm32v7/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODE
deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODENAME} main
EOF

RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > ~/.netrc && \
printf "login ${REPO_USERNAME} " >> ~/.netrc && \
printf "password " >> ~/.netrc && \
cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \
cp -f ~/.netrc /etc/apt/auth.conf

RUN git config --global --add safe.directory '*' \
&& git config --global user.name "${MAINTAINER_NAME}" \
&& git config --global user.email "${MAINTAINER_EMAIL}"

RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg

# Bootstrap and Build
COPY . ${DATA_DIR}
WORKDIR ${DATA_DIR}
Expand All @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a
RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x
RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME}

RUN apt-get -q update && \
mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \
apt-get -y -f install
RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \
printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \
printf "password " >> /etc/apt/auth.conf && \
cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \
curl \
--fail \
--netrc-file /etc/apt/auth.conf \
--output ${GPG_KEY} \
--silent \
https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \
file ${GPG_KEY} && \
apt-get --quiet update && \
mk-build-deps \
--install \
--remove debian/control \
--tool "apt-get --yes --no-install-recommends" && \
apt-get --yes --fix-broken install && \
rm -f /etc/apt/auth.conf

ENV DEB_BUILD_OPTIONS="parallel=1"
RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \
Expand Down
31 changes: 19 additions & 12 deletions .github/docker/debian/bullseye/arm64v8/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD
deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main
EOF

RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > ~/.netrc && \
printf "login ${REPO_USERNAME} " >> ~/.netrc && \
printf "password " >> ~/.netrc && \
cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \
cp -f ~/.netrc /etc/apt/auth.conf

RUN git config --global --add safe.directory '*' \
&& git config --global user.name "${MAINTAINER_NAME}" \
&& git config --global user.email "${MAINTAINER_EMAIL}"

RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg

# Bootstrap and Build
COPY . ${DATA_DIR}
WORKDIR ${DATA_DIR}
Expand All @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a
RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x
RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME}

RUN apt-get -q update && \
mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \
apt-get -y -f install
RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \
printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \
printf "password " >> /etc/apt/auth.conf && \
cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \
curl \
--fail \
--netrc-file /etc/apt/auth.conf \
--output ${GPG_KEY} \
--silent \
https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \
file ${GPG_KEY} && \
apt-get --quiet update && \
mk-build-deps \
--install \
--remove debian/control \
--tool "apt-get --yes --no-install-recommends" && \
apt-get --yes --fix-broken install && \
rm -f /etc/apt/auth.conf

ENV DEB_BUILD_OPTIONS="parallel=1"
RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \
Expand Down
31 changes: 19 additions & 12 deletions .github/docker/debian/buster/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD
deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main
EOF

RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > ~/.netrc && \
printf "login ${REPO_USERNAME} " >> ~/.netrc && \
printf "password " >> ~/.netrc && \
cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \
cp -f ~/.netrc /etc/apt/auth.conf

RUN git config --global --add safe.directory '*' \
&& git config --global user.name "${MAINTAINER_NAME}" \
&& git config --global user.email "${MAINTAINER_EMAIL}"

RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg

# Bootstrap and Build
COPY . ${DATA_DIR}
WORKDIR ${DATA_DIR}
Expand All @@ -73,9 +64,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a
RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x
RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME}

RUN apt-get -q update && \
mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \
apt-get -y -f install
RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \
printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \
printf "password " >> /etc/apt/auth.conf && \
cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \
curl \
--fail \
--netrc-file /etc/apt/auth.conf \
--output ${GPG_KEY} \
--silent \
https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \
file ${GPG_KEY} && \
apt-get --quiet update && \
mk-build-deps \
--install \
--remove debian/control \
--tool "apt-get --yes --no-install-recommends" && \
apt-get --yes --fix-broken install && \
rm -f /etc/apt/auth.conf

ENV DEB_BUILD_OPTIONS="parallel=1"
RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \
Expand Down
31 changes: 19 additions & 12 deletions .github/docker/debian/buster/arm32v7/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODE
deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODENAME} main
EOF

RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > ~/.netrc && \
printf "login ${REPO_USERNAME} " >> ~/.netrc && \
printf "password " >> ~/.netrc && \
cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \
cp -f ~/.netrc /etc/apt/auth.conf

RUN git config --global --add safe.directory '*' \
&& git config --global user.name "${MAINTAINER_NAME}" \
&& git config --global user.email "${MAINTAINER_EMAIL}"

RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg

# Bootstrap and Build
COPY . ${DATA_DIR}
WORKDIR ${DATA_DIR}
Expand All @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a
RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x
RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME}

RUN apt-get -q update && \
mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \
apt-get -y -f install
RUN --mount=type=secret,id=REPO_PASSWORD \
printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \
printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \
printf "password " >> /etc/apt/auth.conf && \
cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \
curl \
--fail \
--netrc-file /etc/apt/auth.conf \
--output ${GPG_KEY} \
--silent \
https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \
file ${GPG_KEY} && \
apt-get --quiet update && \
mk-build-deps \
--install \
--remove debian/control \
--tool "apt-get --yes --no-install-recommends" && \
apt-get --yes --fix-broken install && \
rm -f /etc/apt/auth.conf

ENV DEB_BUILD_OPTIONS="parallel=1"
RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \
Expand Down
Loading

0 comments on commit 453b18d

Please sign in to comment.