Skip to content

Fix docker build security #1274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Sep 16, 2025
Merged

Fix docker build security #1274

merged 11 commits into from
Sep 16, 2025

Conversation

@kilemensi
Copy link
Member

@kilemensi kilemensi commented Sep 15, 2025

Description

This PR upgrades all apps to use build secrets when building Docker images. This should ensure all sensitive ENV vars are not included in the final built images.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Screenshots

N/A

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation

@kilemensi kilemensi self-assigned this Sep 15, 2025
@kilemensi kilemensi added the bug Something isn't working label Sep 15, 2025
@github-project-automation github-project-automation bot moved this to 🚧 In Progress in COMMONS Sep 15, 2025
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Sep 15, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex Review: Here are some suggestions.

Reply with @codex fix comments to fix any unresolved comments.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".

@kilemensi
Switch to normal workflow
f0ef0e7 
  + There are issues with passing secrets in reusable workflow
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 15, 2025
View reviewed changes
@kilemensi
Use correct var names
1dafce1
@kilemensi
Remove build_secrets (for now)
3e6157d 
  + Need to find better way of passing secrets without making the
    reusable workflow aware of each and every secret name
@kilemensi
SENTRY_ORG, SENTRY_PROJECT are no longer ARG to build
faebb6d
@kilemensi kilemensi requested a review from a team September 15, 2025 13:36
@github-actions
Copy link
Contributor

github-actions bot commented Sep 15, 2025

Latest updated Preview URL

Name Review
codeforafrica-ui-pr-1274 Visit

koechkevin
koechkevin approved these changes Sep 16, 2025
View reviewed changes
Copy link
Contributor

@koechkevin koechkevin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this with Codeforafrica and charteafrica

thepsalmist
thepsalmist approved these changes Sep 16, 2025
View reviewed changes
Copy link
Contributor

@thepsalmist thepsalmist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

kelvinkipruto
kelvinkipruto approved these changes Sep 16, 2025
View reviewed changes
@kilemensi kilemensi added this pull request to the merge queue Sep 16, 2025
Merged via the queue into main with commit b72e690 Sep 16, 2025
7 checks passed
@kilemensi kilemensi deleted the fix_docker_build_security branch September 16, 2025 10:33
@github-project-automation github-project-automation bot moved this from 🚧 In Progress to ✅ Done in COMMONS Sep 16, 2025
@kilemensi kilemensi mentioned this pull request Sep 16, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@koechkevin koechkevin koechkevin approved these changes

@VinneyJ VinneyJ VinneyJ approved these changes

@kelvinkipruto kelvinkipruto kelvinkipruto approved these changes

@thepsalmist thepsalmist thepsalmist approved these changes

Assignees

@kilemensi kilemensi

Labels

bug Something isn't working

Projects

COMMONS
Status: ✅ Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@kilemensi @koechkevin @VinneyJ @kelvinkipruto @thepsalmist