Merge pull request #965 from talentedmrjones/bust-cache-for-new-secrets

Bust the buildkit cache when secret value changes
This commit is contained in:
Andrea Luzzardi
2021-09-16 09:01:59 -07:00
committed by GitHub
3 changed files with 9 additions and 2 deletions

View File

@@ -44,6 +44,8 @@ func (s *inputStore) GetSecret(ctx context.Context, id string) ([]byte, error) {
id = strings.TrimPrefix(id, secretPrefix)
id = strings.Split(id, ";hash=")[0]
input, ok := s.st.Inputs[id]
if !ok {
return nil, secrets.ErrNotFound

View File

@@ -1,6 +1,7 @@
package state
import (
"crypto/sha256"
"encoding/json"
"fmt"
"io/ioutil"
@@ -197,7 +198,11 @@ func SecretInput(data string) Input {
type secretInput string
func (i secretInput) Compile(key string, _ *State) (*compiler.Value, error) {
return compiler.Compile("", fmt.Sprintf(`{id:%q}`, "secret="+key))
hash := sha256.New()
hash.Write([]byte(key))
checksum := hash.Sum([]byte(i.PlainText()))
secretValue := fmt.Sprintf(`{id:"secret=%s;hash=%x"}`, key, checksum)
return compiler.Compile("", secretValue)
}
func (i secretInput) PlainText() string {

View File

@@ -145,7 +145,7 @@ setup() {
# Make sure the secret doesn't show in dagger query
run "$DAGGER" query mySecret.id -f text
assert_success
assert_output "secret=mySecret"
assert_output --partial "secret=mySecret;hash="
}
@test "compute: docker socket" {