envbuilder support for build-time secrets is undocumented

[ns-mkusper]

There doesn't seem to be any way to pass build-time secrets when using envbuilder, leaving me with no straight-forward option to include any Dockerfile with commands similar to:

RUN --mount=type=secret,id=test-token poetry config http-basic.test-token-pypi gitlab-ci-token $(cat /run/secrets/test-token)

I'd be willing to drop a patch for this, but I'm curious to hear opinions on whether or not this is something envbuilder can support without violating its design principles.

[ns-mkusper]

Seems that the standard kaniko method of mounting secrets in /kaniko does work to resolve this issue. This works for me and I'm willing to use it permanently but seems like something of a workaround.

[SasSwart]

Hey There!

Support for build secrets has been formalised and added as of #401.
Documentation is available here:
https://github.com/coder/envbuilder/blob/main/docs/build-secrets.md

This feature is as yet unreleased. Keep an eye on our releases and changelog for further information.
If you need this feature urgently, feel free to build your own envbuilder container using this script:
https://github.com/coder/envbuilder/blob/main/scripts/build.sh like this:

./scripts/build.sh --base=envbuilder-with-secrets

Our Terraform provider for envbuilder does not yet support build secrets.

[SasSwart]

Builds secrets are now also supported in the Terraform provider for envbuilder.
This was the last feature we needed to close this issue.

Closing.