Merge pull request #27602 from ZuhairM7/fix-remote-build-secrets

bindings: fix handling of env secrets in remote builds
2026-02-05 06:45:31 +01:00 · 2025-12-04 13:15:24 +00:00
parent 32be5c3f42 fdbb696731
commit 0bd2b4b358
2 changed files with 26 additions and 2 deletions
--- a/pkg/bindings/images/build.go
+++ b/pkg/bindings/images/build.go
@@ -626,7 +626,8 @@ func prepareSecrets(secrets []string, contextDir string, tempManager *remote_bui
 		for _, token := range secretOpt {
 			opt, val, hasVal := strings.Cut(token, "=")
 			if hasVal {
-				if opt == "src" {
+				switch opt {
+				case "src":
 					// read specified secret into a tmp file
 					// move tmp file to tar and change secret source to relative tmp file
 					tmpSecretFilePath, err := tempManager.CreateTempSecret(val, contextDir)
@@ -639,7 +640,21 @@ func prepareSecrets(secrets []string, contextDir string, tempManager *remote_bui

 					modifiedSrc := fmt.Sprintf("src=%s", filepath.Base(tmpSecretFilePath))
 					modifiedOpt = append(modifiedOpt, modifiedSrc)
-				} else {
+				case "env":
+					// read specified env into a tmp file
+					// move tmp file to tar and change secret source to relative tmp file
+					secretVal := os.Getenv(val)
+					tmpSecretFilePath, err := tempManager.CreateTempFileFromReader(contextDir, "podman-build-secret-*", strings.NewReader(secretVal))
+					if err != nil {
+						return nil, nil, err
+					}
+
+					// add tmp file to context dir
+					tarContent = append(tarContent, tmpSecretFilePath)
+
+					modifiedSrc := fmt.Sprintf("src=%s", filepath.Base(tmpSecretFilePath))
+					modifiedOpt = append(modifiedOpt, modifiedSrc)
+				default:
 					modifiedOpt = append(modifiedOpt, token)
 				}
 			}