action wtih 2 secret files - GHA is not mounting the second one #1010
-
| Here is the Dockerfile: This Dockerfile builds successfully locally when run with the following script: Here are the relevant portions of the workflow file: Followed by: The first file,  Anyone have any idea why it would mount one secret-file, but not the other? Any input would be greatly appreciated. | 
Beta Was this translation helpful? Give feedback.
Replies: 7 comments
-
| Can you post the full workflow file? You might need double escapes for quote signs in the secret value as shown in https://docs.docker.com/build/ci/github-actions/secrets/. | 
Beta Was this translation helpful? Give feedback.
-
| Sure. Here's the whole file, however, I'm not doing a  ---
name: Docker build and publish image
on:
  workflow_call:
    inputs:
      IMAGE_NAME:
        required: true
        type: string
      TAG:
        required: true
        type: string
      DOCKERFILE:
        required: false
        default: Dockerfile
        type: string
      CONTEXT:
        required: false
        default: .
        type: string
      PUSH_IMAGE:
        required: false
        default: false
        type: boolean
      TEST_IMAGE:
        required: false
        default: false
        type: boolean
      BUILD_ARGS:
        required: false
        type: string
      REPO_CREDS:
        required: false
        default: false
        type: boolean
      DEBIAN:
        required: false
        default: false
        type: boolean
      LABELS:
        required: false
        type: string
      node_version:
        required: false
        type: string
env:
  DOCKER_BUILDKIT: 1
  DOCKER_REPO_NAME: docker
  ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
jobs:
  build_and_push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Login to artifactory
        uses: docker/login-action@v2
        with:
          registry: ${{ vars.ARTIFACTORY_URL }}
          username: ${{ vars.ARTIFACTORY_USERNAME }}
          password: ${{ env.ARTIFACTORY_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          driver: docker
      - name: Create artifactory env file
        if: inputs.REPO_CREDS == true
        run: >
          for var in DNF_VAR NPM_CONFIG ; do
          echo "export ${var}_ARTIFACTORY_USERNAME=${{ vars.ARTIFACTORY_USERNAME }}" >> .artifactory.env ;
          echo "export ${var}_ARTIFACTORY_TOKEN=${{ env.ARTIFACTORY_TOKEN }}" >> .artifactory.env ;
          echo "export ${var}_ARTIFACTORY_URL=${{ vars.ARTIFACTORY_URL }}" >> .artifactory.env
          ; done
      - name: Add yum/dnf vars to the env file
        if: inputs.REPO_CREDS == true
        run: |
          echo "export YUM0=${{ vars.ARTIFACTORY_USERNAME }}" >> .artifactory.env
          echo "export YUM1=${{ env.ARTIFACTORY_TOKEN }}" >> .artifactory.env
          echo "export YUM2=${{ vars.ARTIFACTORY_URL }}" >> .artifactory.env
      - name: Build the Debian sources.list file
        if: inputs.REPO_CREDS == true && inputs.DEBIAN == true
        run: |
          echo "deb [trusted=yes] https://${{ vars.ARTIFACTORY_USERNAME }}:${{ env.ARTIFACTORY_TOKEN }}@${{ vars.ARTIFACTORY_URL }}/artifactory/debian-main bullseye main" >> .sources_list.env
          echo "deb [trusted=yes] https://${{ vars.ARTIFACTORY_USERNAME }}:${{ env.ARTIFACTORY_TOKEN }}@${{ vars.ARTIFACTORY_URL }}/artifactory/debian-security bullseye-security main" >> .sources_list.env
          echo "deb [trusted=yes] https://${{ vars.ARTIFACTORY_USERNAME }}:${{ env.ARTIFACTORY_TOKEN }}@${{ vars.ARTIFACTORY_URL }}/artifactory/debian-main bullseye-updates main" >> .sources_list.env
          echo "deb [trusted=yes] https://${{ vars.ARTIFACTORY_USERNAME }}:${{ env.ARTIFACTORY_TOKEN }}@${{ vars.ARTIFACTORY_URL }}/artifactory/debian-postgresql bullseye-pgdg main" >> .sources_list.env
          echo "deb [signed-by=/etc/apt/keyrings/libcontainers-stable.gpg] https://${{ vars.ARTIFACTORY_USERNAME }}:${{ env.ARTIFACTORY_TOKEN }}@@${{ vars.ARTIFACTORY_URL }}/artifactory/libcontainers-stable-debian-11 /"
      - name: Add pip vars to the env file
        if: inputs.REPO_CREDS == true
        run: >
          for var in INDEX INDEX_URL ; do
          echo "export PIP_${var}=https://${{ vars.ARTIFACTORY_USERNAME }}:${{ env.ARTIFACTORY_TOKEN }}@${{ vars.ARTIFACTORY_URL }}/artifactory/api/pypi/pypi/simple"
          >> .artifactory.env ; done
      - name: Test ${{ inputs.IMAGE_NAME }}
        uses: docker/build-push-action@v4
        if: inputs.TEST_IMAGE == true
        with:
          context: ${{ inputs.CONTEXT }}
          file: ${{ inputs.DOCKERFILE }}
          push: false
          tags: ${{ inputs.IMAGE_NAME }}:${{ inputs.TAG }}
          load: true
      - name: Build and push ${{ inputs.IMAGE_NAME }}
        uses: docker/build-push-action@v4
        if: |
          inputs.PUSH_IMAGE == true &&
          inputs.REPO_CREDS == false
        with:
          context: ${{ inputs.CONTEXT }}
          file: ${{ inputs.DOCKERFILE }}
          push: true
          pull: true
          no-cache: true
          tags: ${{ vars.ARTIFACTORY_URL }}/${{ env.DOCKER_REPO_NAME }}/${{ inputs.IMAGE_NAME }}:${{ inputs.TAG }}
          build-args: ${{ inputs.BUILD_ARGS }}
          labels: ${{ inputs.LABELS }}
      - name: Build and push ${{ inputs.IMAGE_NAME }} with repo creds
        uses: docker/build-push-action@v4
        if: |
          inputs.PUSH_IMAGE == true &&
          inputs.REPO_CREDS == true
        with:
          context: ${{ inputs.CONTEXT }}
          file: ${{ inputs.DOCKERFILE }}
          push: true
          pull: true
          no-cache: true
          tags: ${{ vars.ARTIFACTORY_URL }}/${{ env.DOCKER_REPO_NAME }}/${{ inputs.IMAGE_NAME }}:${{ inputs.TAG }}
          build-args: ${{ inputs.BUILD_ARGS }}
          labels: ${{ inputs.LABELS }}
          secret-files: |
            "artifactory_env=./.artifactory.env"
      - name: Build and push ${{ inputs.IMAGE_NAME }} Debian-based image with repo creds
        uses: docker/build-push-action@v4
        if: |
          inputs.PUSH_IMAGE == true &&
          inputs.REPO_CREDS == true &&
          inputs.DEBIAN == true
        with:
          context: ${{ inputs.CONTEXT }}
          file: ${{ inputs.DOCKERFILE }}
          push: true
          pull: true
          no-cache: true
          tags: ${{ vars.ARTIFACTORY_URL }}/${{ env.DOCKER_REPO_NAME }}/${{ inputs.IMAGE_NAME }}:${{ inputs.TAG }}
          build-args: ${{ inputs.BUILD_ARGS }}
          labels: ${{ inputs.LABELS }}
          secret-files: |
            "artifactory_env=./.artifactory.env"
            "sources_list=./.sources_list.env"
      - name: Cleanup after build
        uses: colpal/actions-clean@v1
        if: always() | 
Beta Was this translation helpful? Give feedback.
-
| 
 Indeed this is not necessary 
 That's strange. Have you tried another mount path for testing like  | 
Beta Was this translation helpful? Give feedback.
-
| I have not yet tried another mount, but: 1. I need it to be at  | 
Beta Was this translation helpful? Give feedback.
-
| OK, I changed the mount in the Dockerfile to point to the following locations: 
 Both runs failed, since I added a  I'd really like to know why the GHA is not mounting the 2nd file. | 
Beta Was this translation helpful? Give feedback.
-
| Another data point: re-ordering the listing of the            secret-files: |
            "sources_list=./.sources_list.env"
            "artifactory_env=./.artifactory.env"I tested its creation with the addition of a  But the  | 
Beta Was this translation helpful? Give feedback.
-
| Thanks for looking - I've sorted it out. My conditionals weren't specific enough, & so the step that would actually mount the additional file was not running. I had to add another conditional to the previous step to ensure that it wouldn't run if the calling workflow needed the Debian step. | 
Beta Was this translation helpful? Give feedback.
Thanks for looking - I've sorted it out. My conditionals weren't specific enough, & so the step that would actually mount the additional file was not running. I had to add another conditional to the previous step to ensure that it wouldn't run if the calling workflow needed the Debian step.