Build docker-image from remote repository (github-actions, gitlab-ci) with env and secrets from another remote repo?

Question

I have a (private) repository at GitHub with my project and integrated GitHub-actions which is building a docker-image and pushing it directly to GHCR.

But I have a problem with storing and passing secrets to my build image. I have the following structure in my project:

.git (gitignored)
.env (gitignored)
config (gitignored) / config files (jsons)
src (git) / other folders and files

As you may see, I have .env file and config folder. Both of them store data or files, which are not in the repo but are required to be in the built environment.

So I'd like to ask, is there any option not to pass all these files to my main remote repo (even if it's private) but to link them during the build stage within the github-actions?

It's not a problem to publish env & configs somewhere else, privately, in another separate private remote-repo. The point is not to push these files to the main-private-repo, because RBAC logic doesn't allow me to restrict access to the selected files.

P.S. Any other advice of using GitLab CI or BitBucket, if you know how to solve the problem is also appreciated. Don't be shy to share it!

Answer 1

So it seems that this question is a bit hot, so I have found an answer for it.

Example that is shown above is based on node.js and nest.js app and pulling the private remote repo from GitHub.

In my case, this scenario was about pulling from separate private repo config files and other secrets. And we merge them with our project during container build. This option isn't about security of secrets inside container itself. But for making one part of a project (repo itself with business logic) available to other developers (they won't see credentionals and configs from separate private repo, in your development repo) and a secret-private repo with separate access permission.

You all need your personal access token (PAT), on github you can found it here:

As for GitLab, the flow is still the same. You'll need to pass token from somewhere in the settings. And also, just a good advice, create not just one, but two docker files, before testing it.

Why https instead of ssh? In that case you'll need also to pass ssh keys and also config the client correctly. It's a bit more complicated because of CRLF and LF formats, crypto-algos supported by ssh and so on.

# it could be Go, PHP, what-ever
FROM node:17

# you will need your GitHub token from settings
# we will pass it to build env via GitHub action
ARG CR_PAT
ENV CR_PAT=$CR_PAT

# update OS in build container
RUN apt-get update
RUN apt-get install -y git

# workdir app, it is a cd (directory)
WORKDIR /usr/src/app

# installing nest library
RUN npm install -g @nestjs/cli

# config git with credentials
# we will use https since it is much easier to config instead of ssh
RUN git config --global url."https://${github_username}:${CR_PAT}@github.com/".insteadOf "https://github.com/"

# cloning the repo to WORKDIR
RUN git clone https://github.com/${github_username}/${repo_name}.git

# we move all files from pulled repo to root of WORKDIR
# including files named with dot at the beginning (like .env)
RUN mv repo_folder/* repo_folder/.[^.]* . && rmdir repo_folder/

# node.js stuff
COPY package.json ./

RUN yarn install

COPY . .

RUN nest build app

CMD wait && ["node"]

As a result, you'll see a fully container with your code merged with files and code from other separate repo which we pull from.