Merge pull request #824 from veimox/feature/secrets-expand-env-vars

Feature: Expand envrionment variables on secrets
gperdomor · Jul 16, 2023 · 1c4df14 · 1c4df14
2 parents 335d9ef + b1c52ae
commit 1c4df14
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 2 deletions.
diff --git a/packages/core/src/lib/interpolate.spec.ts b/packages/core/src/lib/interpolate.spec.ts
@@ -32,4 +32,17 @@ describe('String interpolation', () => {
   ])('given command "%s", should return "%s"', (command: string, expected: string) => {
     expect(interpolate(command)).toEqual(expected);
   });
+
+  it('should expand ${HOME}', () => {
+    expect(interpolate('${HOME}')).toEqual(process.env['HOME']);
+  });
+
+  it('should expand $HOME', () => {
+    expect(interpolate('$HOME')).toEqual(process.env['HOME']);
+  });
+
+  it('should not expand', () => {
+    const value = 'HOME';
+    expect(interpolate(value)).toEqual(value);
+  });
 });
diff --git a/packages/nx-container/docs/inputs.md b/packages/nx-container/docs/inputs.md
@@ -31,7 +31,7 @@ Following inputs can be used as `step.with` keys
 | `push`                | Bool     | [Push](https://github.com/docker/buildx#--push) is a shorthand for `--output=type=registry` (default `false`)                                                                     |
 | `quiet`               | Bool     | Run executor without printing engine info                                                                                                                                         |
 | `secret-files`        | List     | List of secret files to expose to the build (eg. key=filename, MY_SECRET=./secret.txt)                                                                                            |
-| `secrets`             | List     | List of secrets to expose to the build (eg. `key=value`, `GIT_AUTH_TOKEN=mytoken`)                                                                                                |
+| `secrets`             | List     | List of secrets to expose to the build (eg. `key=value`, `GIT_AUTH_TOKEN=mytoken`, `NPM_TOKEN=${NPM_TOKEN}` will use the environment variable)                                    |
 | `shm-size`¹           | String   | Size of [`/dev/shm`](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#-size-of-devshm---shm-size) (e.g., `2g`)                                         |
 | `ssh`                 | List     | List of SSH agent socket or keys to expose to the build                                                                                                                           |
 | `tags`                | List/CSV | List of tags                                                                                                                                                                      |

diff --git a/packages/nx-container/src/executors/build/engines/docker/buildx.ts b/packages/nx-container/src/executors/build/engines/docker/buildx.ts
@@ -4,6 +4,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import * as semver from 'semver';
 import * as context from '../../context';
+import { interpolate } from '@nx-tools/core';
 
 export async function getImageIDFile(): Promise<string> {
   return path.join(context.tmpDir(), 'iidfile').split(path.sep).join(path.posix.sep);
@@ -65,6 +66,8 @@ export async function getSecret(kvp: string, file: boolean): Promise<string> {
       throw new Error(`secret file ${value} not found`);
     }
     value = fs.readFileSync(value, { encoding: 'utf-8' });
+  } else {
+    value = interpolate(value);
   }
 
   const secretFile = context.tmpNameSync({

diff --git a/packages/nx-container/src/executors/build/engines/podman/podman.ts b/packages/nx-container/src/executors/build/engines/podman/podman.ts
@@ -4,6 +4,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import * as semver from 'semver';
 import * as context from '../../context';
+import { interpolate } from '@nx-tools/core';
 
 export async function getImageIDFile(): Promise<string> {
   return path.join(context.tmpDir(), 'iidfile').split(path.sep).join(path.posix.sep);
@@ -65,6 +66,8 @@ export async function getSecret(kvp: string, file: boolean): Promise<string> {
       throw new Error(`secret file ${value} not found`);
     }
     value = fs.readFileSync(value, { encoding: 'utf-8' });
+  } else {
+    value = interpolate(value);
   }
 
   const secretFile = context.tmpNameSync({

diff --git a/packages/nx-container/src/executors/build/schema.json b/packages/nx-container/src/executors/build/schema.json
@@ -131,7 +131,7 @@
       "items": {
         "type": "string"
       },
-      "description": "List of secrets to expose to the build (eg. key=string, GIT_AUTH_TOKEN=mytoken)"
+      "description": "List of secrets to expose to the build (eg. key=string, GIT_AUTH_TOKEN=mytoken, NPM_TOKEN=${NPM_TOKEN})"
     },
     "secret-files": {
       "type": "array",