Mount secrets during build step

Our Docker images are usually built in Github actions. They sometimes need to mount secrets during build time. I’ve included an example below:

RUN --mount=type=secret,id=github_token \
    composer config --global $(cat /run/secrets/github_token) && \
    composer install \
      --ignore-platform-reqs \
      --no-interaction \
      --no-plugins \
      --no-scripts \

I’m trying to figure out how I can get this work with the oktetoy.yaml file. Is this possible?

Hi @boedy,

You can pass build arguments to the okteto cli as you would to a docker build:

okteto build --secret id=github_token,src=qwerty -t my-image .

You can also define you secrets in the okteto.yml file:

      github_token: qwerty

More info in the docs: Okteto Manifest | Okteto Documentation

Hope it helps!

Thanks for the prompt reply @maroshii . It seems it needs to be a file? Can a secret stored in Okteto be used? Something in in the lines of:

      github_token: $GITHUB_TOKEN

According to the docs $GITHUB_TOKEN should be defined in the environment so you should be able to export GITHUB_TOKEN=asdfg before running the build:

  • secrets: list of secrets exposed to the build. The value of each secret refers to a file. Okteto will resolve references containing a $ sign in this file to the environment variable value on the machine okteto is running on.

Okteto secrets are runtime secrets so they are not available at build time