Use mounted secrets (#51)

Author: iszulcdeepsense

docs/CHANGELOG.md

@@ -4,6 +4,11 @@ All **user-facing**, notable changes will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.15.0] - 2024-09-17
+### Changed
+- Use mounted secrets when building the image. This hides the secret
+  environment variables, so they can't be accessed after the build.
+
 ## [2.14.5] - 2024-06-05
 ### Changed
 - Job type format updated to new Racetrack interface for defining job types.

docs/compatibility.md

@@ -17,3 +17,4 @@ This document describes compatibility of the versions of this plugin with the Ra
 | 2.13.2         | `>= 2.26.0`                  |
 | 2.14.0         | `>= 2.26.0`                  |
 | 2.14.5         | `>= 2.30.0`                  |
+| 2.15.0         | `> 2.32.1`                   |

src/job-template.Dockerfile

@@ -44,9 +44,10 @@ RUN mkdir -p /usr/share/man/man1 && apt-get update -y &&\
 {% if manifest_jobtype_extra.requirements_path %}
 COPY "{{ manifest_jobtype_extra.requirements_path }}" /src/job/
 # Install job's requirements in isolated environment
-RUN . /src/job-venv/bin/activate &&\
+RUN --mount=type=secret,id=build_secrets,target=/run/secrets/build_secrets.env \
+    . /src/job-venv/bin/activate &&\
     cd /src/job/ &&\
-    pip install -r "{{ manifest_jobtype_extra.requirements_path }}" &&\
+    env $(cat /run/secrets/build_secrets.env | xargs) pip install -r "{{ manifest_jobtype_extra.requirements_path }}" &&\
     rm -rf /root/.cache/pip
     {%- if manifest_jobtype_extra.get('check_requirements', true) in [true, 'true'] %}
 # check for dependency conflicts

src/plugin-manifest.yaml

@@ -1,4 +1,4 @@
 name: python3-job-type
-version: 2.14.6
+version: 2.15.0
 url: 'https://github.com/TheRacetrack/plugin-python-job-type'
 category: 'job-type'