9c0e2d1d95
- Secrets are never exposed in plaintext in the Cue tree. `dagger query` won't dump secrets anymore, Cue errors won't contain them either. - BuildKit-native secrets support through a new `mount` type. This ensures secrets will never be part of containerd layers, buildkit cache and generally speaking will never be saved to disk in plaintext. - Updated netlify as an example - Added tests - Changed the Cue definition of a secret to: ``` @dagger(secret) id: string } ``` This is to ensure both that setting the wrong input type on a secret (e.g. `dagger input text`) will fail, and attempting to misuse the secret (e.g. interpolating, passing as an env variable, etc) will also fail properly. Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
23 lines
319 B
CUE
23 lines
319 B
CUE
package dagger
|
|
|
|
import (
|
|
"dagger.io/dagger/op"
|
|
)
|
|
|
|
// An artifact such as source code checkout, container image, binary archive...
|
|
// May be passed as user input, or computed by a buildkit pipeline
|
|
|
|
#Artifact: {
|
|
@dagger(artifact)
|
|
#up: [...op.#Op]
|
|
_
|
|
...
|
|
}
|
|
|
|
// Secret value
|
|
#Secret: {
|
|
@dagger(secret)
|
|
|
|
id: string
|
|
}
|