added hash of the secret key+value to invalidate buildkit cache when value changes

Signed-off-by: Richard <richard@dagger.io>
This commit is contained in:
Richard 2021-09-10 15:10:39 -06:00 committed by Richard Jones
parent 7073bc89c0
commit 0666d6f55a
2 changed files with 9 additions and 2 deletions

View File

@ -44,6 +44,8 @@ func (s *inputStore) GetSecret(ctx context.Context, id string) ([]byte, error) {
id = strings.TrimPrefix(id, secretPrefix) id = strings.TrimPrefix(id, secretPrefix)
id = strings.Split(id, ";hash=")[0]
input, ok := s.st.Inputs[id] input, ok := s.st.Inputs[id]
if !ok { if !ok {
return nil, secrets.ErrNotFound return nil, secrets.ErrNotFound

View File

@ -1,6 +1,7 @@
package state package state
import ( import (
"crypto/sha256"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@ -196,8 +197,12 @@ func SecretInput(data string) Input {
type secretInput string type secretInput string
func (i secretInput) Compile(key string, _ *State) (*compiler.Value, error) { func (i secretInput) Compile(key string, s *State) (*compiler.Value, error) {
return compiler.Compile("", fmt.Sprintf(`{id:%q}`, "secret="+key)) hash := sha256.New()
hash.Write([]byte(key))
checksum := hash.Sum([]byte(s.Inputs[key].Secret.PlainText()))
secretValue := fmt.Sprintf(`{id:"secret=%s;hash=%x"}`, key, checksum)
return compiler.Compile("", secretValue)
} }
func (i secretInput) PlainText() string { func (i secretInput) PlainText() string {