Whitespace trimmed from multi-line secrets input

[jshbrntt]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• The documentation does not mention anything about my problem
• There are no open or closed issues that are related to my problem

Description

When passing a mutli-line secret as specified in this documentation.

If the secret contains new line characters at the end, they will be trimmed leading to a malformed secret value during the docker build step.

This is problematic for secrets with significant whitespace such as private SSH keys.

Expected behaviour

The output of xxd in the docker build step should contain the whitespace declared as part of the secrets input variable.

00000000: 5445 5354 4553 5454 4553 5445 5354 5445  TESTESTTESTESTTE
00000010: 5354 4553 5454 4553 5445 5354 0a54 4553  STESTTESTEST.TES
00000020: 5445 5354 5445 5354 4553 5454 4553 5445  TESTTESTESTTESTE
00000030: 5354 5445 5354 4553 540a 5445 5354 4553  STTESTEST.TESTES
00000040: 5454 4553 5445 5354 5445 5354 4553 5454  TTESTESTTESTESTT
00000050: 4553 5445 5354 0a0a 0a0a                 ESTEST....

As it does when you pass a file (containing trailing whitespace) through a secret mount.

Actual behaviour

Inside the docker build step.

# ...
RUN --mount=type=secret,id=PRIVATE_SSH_KEY,target=/root/.ssh/id_rsa \
xxd /root/.ssh/id_rsa

The output of this step is the following (notice the lack of newline characters at the end)

#8 [ubuntu-base 4/4] RUN --mount=type=secret,id=PRIVATE_SSH_KEY,target=/root/.ssh/id_rsa xxd /root/.ssh/id_rsa
#8 0.045 00000000: 5445 5354 4553 5454 4553 5445 5354 5445  TESTESTTESTESTTE
#8 0.045 00000010: 5354 4553 5454 4553 5445 5354 0a54 4553  STESTTESTEST.TES
#8 0.045 00000020: 5445 5354 5445 5354 4553 5454 4553 5445  TESTTESTESTTESTE
#8 0.045 00000030: 5354 5445 5354 4553 540a 5445 5354 4553  STTESTEST.TESTES
#8 0.045 00000040: 5454 4553 5445 5354 5445 5354 4553 5454  TTESTESTTESTESTT
#8 0.045 00000050: 4553 5445 5354                           ESTEST

Repository URL

No response

Workflow run URL

No response

YAML workflow

    - uses: docker/build-push-action@v6
      with:
        secrets: |
          "PRIVATE_SSH_KEY=TESTESTTESTESTTESTESTTESTEST
          TESTESTTESTESTTESTESTTESTEST
          TESTESTTESTESTTESTESTTESTEST


            
          "

Workflow logs

No response

BuildKit logs

No response

Additional info

No response

[jstuckey]

Thank you for reporting this! I spent several hours debugging a failed image build due to my ssh private key.

As a workaround, I added this to my Dockerfile:

RUN --mount=type=secret,id=ssh_private_key \
    mkdir /root/.ssh && \
    cat /run/secrets/ssh_private_key > /root/.ssh/id_rsa && \
    # workaround: ensure key ends with a newline
    if [ "$(tail -c 1 /root/.ssh/id_rsa)" != $'\n' ]; then \  
        echo "" >> /root/.ssh/id_rsa; \
    fi && \
    # ...