Merge pull request #965 from talentedmrjones/bust-cache-for-new-secrets

Bust the buildkit cache when secret value changes

solver/secretsprovider.go

@@ -44,6 +44,8 @@ func (s *inputStore) GetSecret(ctx context.Context, id string) ([]byte, error) {
 
 	id = strings.TrimPrefix(id, secretPrefix)
 
+	id = strings.Split(id, ";hash=")[0]
+
 	input, ok := s.st.Inputs[id]
 	if !ok {
 		return nil, secrets.ErrNotFound

state/input.go

@@ -1,6 +1,7 @@
 package state
 
 import (
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -197,7 +198,11 @@ func SecretInput(data string) Input {
 type secretInput string
 
 func (i secretInput) Compile(key string, _ *State) (*compiler.Value, error) {
-	return compiler.Compile("", fmt.Sprintf(`{id:%q}`, "secret="+key))
+	hash := sha256.New()
+	hash.Write([]byte(key))
+	checksum := hash.Sum([]byte(i.PlainText()))
+	secretValue := fmt.Sprintf(`{id:"secret=%s;hash=%x"}`, key, checksum)
+	return compiler.Compile("", secretValue)
 }
 
 func (i secretInput) PlainText() string {

tests/core.bats

@@ -145,7 +145,7 @@ setup() {
     # Make sure the secret doesn't show in dagger query
     run "$DAGGER" query mySecret.id -f text
     assert_success
-    assert_output "secret=mySecret"
+    assert_output --partial "secret=mySecret;hash="
 }
 
 @test "compute: docker socket" {