From f4dffdce7ff5942329bfaa9bb3f6dc5becbc9690 Mon Sep 17 00:00:00 2001
From: eduartua <eduartua@gmail.com>
Date: Thu, 4 Dec 2025 17:04:56 -0600
Subject: [PATCH] Add support to mount secrets and do not use ARGs for secrets
 as they persists in the docker image

---
 .../build-docker-push-to-ecr-production.yml         | 13 ++++++++-----
 .github/workflows/build-docker-push-to-ecr.yml      | 10 +++++-----
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build-docker-push-to-ecr-production.yml b/.github/workflows/build-docker-push-to-ecr-production.yml
index 96798f4..f4bab52 100644
--- a/.github/workflows/build-docker-push-to-ecr-production.yml
+++ b/.github/workflows/build-docker-push-to-ecr-production.yml
@@ -15,6 +15,13 @@ on:
       AWS_ROLE_NAME:
         required: true
         type: string
+      BUILD_ARGS:
+        required: false
+        type: string
+      BUILD_SECRETS:
+        required: false
+        type: string
+        description: "Docker build secret flags, e.g., --secret id=TOKEN1,env=SECRET1 --secret id=TOKEN2,env=SECRET2"
       DOCKERFILE_NAME:
         required: false
         type: string
@@ -32,10 +39,6 @@ on:
         type: boolean
         default: true
 
-    secrets:
-      BUILD_ARG:
-        required: false
-
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -61,7 +64,7 @@ jobs:
           docker build -f ${{ inputs.DOCKERFILE_NAME }} \
             -t ${{ inputs.REGISTRY_URL }}/${{ inputs.APPLICATION_NAME }}:$GITHUB_SHA \
             ${{ inputs.BUILD_ARGS }} \
-            ${{ secrets.BUILD_ARG }} \
+            ${{ inputs.BUILD_SECRETS }} \
             .
           docker push -a ${{ inputs.REGISTRY_URL }}/${{ inputs.APPLICATION_NAME }}
       - name: Retag and push container image
diff --git a/.github/workflows/build-docker-push-to-ecr.yml b/.github/workflows/build-docker-push-to-ecr.yml
index f308e38..09ca659 100644
--- a/.github/workflows/build-docker-push-to-ecr.yml
+++ b/.github/workflows/build-docker-push-to-ecr.yml
@@ -18,6 +18,10 @@ on:
       BUILD_ARGS:
         required: false
         type: string
+      BUILD_SECRETS:
+        required: false
+        type: string
+        description: "Docker build secret flags, e.g., --secret id=TOKEN1,env=SECRET1 --secret id=TOKEN2,env=SECRET2"
       DOCKERFILE_NAME:
         required: false
         type: string
@@ -35,10 +39,6 @@ on:
         type: boolean
         default: true
 
-    secrets:
-      BUILD_ARG:
-        required: false
-
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -64,7 +64,7 @@ jobs:
           docker build -f ${{ inputs.DOCKERFILE_NAME }} \
             -t ${{ inputs.REGISTRY_URL }}/${{ inputs.APPLICATION_NAME }}:$GITHUB_SHA \
             ${{ inputs.BUILD_ARGS }} \
-            ${{ secrets.BUILD_ARG }} \
+            ${{ inputs.BUILD_SECRETS }} \
             .
           docker push -a ${{ inputs.REGISTRY_URL }}/${{ inputs.APPLICATION_NAME }}
       - name: Retag and push container image