From 68ec61a3be89e288d35ec05aeeaa292f7416af0a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 10 Feb 2026 11:18:07 +0000 Subject: [PATCH 1/4] docs: address issue #23189 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This change was automatically generated by the documentation agent team in response to issue #23189. 🤖 Generated with cagent Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- .../build/ci/github-actions/secrets.md | 121 ++++++++++++++++-- 1 file changed, 113 insertions(+), 8 deletions(-) diff --git a/content/manuals/build/ci/github-actions/secrets.md b/content/manuals/build/ci/github-actions/secrets.md index b587bf7d7c..899f163cc0 100644 --- a/content/manuals/build/ci/github-actions/secrets.md +++ b/content/manuals/build/ci/github-actions/secrets.md @@ -57,14 +57,119 @@ jobs: "github_token=${{ secrets.GITHUB_TOKEN }}" ``` -> [!NOTE] -> -> You can also expose a secret file to the build with the `secret-files` input: -> -> ```yaml -> secret-files: | -> "MY_SECRET=./secret.txt" -> ``` +### Using secret files + +The `secret-files` input lets you mount existing files as secrets in your build. +This is useful when you need to use credential files that are generated during your workflow, +or when you need to mount configuration files like `.npmrc` or `.pypirc` that are already in the expected format. + +The key difference between `secrets` and `secret-files`: + +- `secrets`: Pass secret values as strings (from environment variables or GitHub secrets) +- `secret-files`: Mount existing files from the runner's filesystem + +#### Example: Using .npmrc for private npm packages + +If your build needs to install packages from a private npm registry, +you can create an `.npmrc` file and mount it as a secret: + +```yaml +name: ci + +on: + push: + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} + + - name: Create .npmrc file + run: | + echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc + + - name: Build + uses: docker/build-push-action@{{% param "build_push_action_version" %}} + with: + context: . + secret-files: | + npmrc=./.npmrc + tags: user/app:latest +``` + +In your Dockerfile, mount the secret file to the expected location: + +```dockerfile +# syntax=docker/dockerfile:1 +FROM node:20-alpine + +WORKDIR /app + +COPY package*.json ./ + +RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \ + npm ci + +COPY . . + +RUN npm run build +``` + +#### Example: Using dynamically generated credentials + +You can generate credential files from multiple secrets and mount them: + +```yaml +name: ci + +on: + push: + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} + + - name: Create credentials file + run: | + cat < aws-credentials + [default] + aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }} + aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }} + EOF + + - name: Build + uses: docker/build-push-action@{{% param "build_push_action_version" %}} + with: + context: . + secret-files: | + aws=./aws-credentials + tags: user/app:latest +``` + +In your Dockerfile: + +```dockerfile +# syntax=docker/dockerfile:1 +FROM alpine + +RUN apk add --no-cache aws-cli + +RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \ + aws s3 cp s3://my-private-bucket/data.tar.gz /tmp/ +``` + +### Multi-line secrets If you're using [GitHub secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) and need to handle multi-line value, you will need to place the key-value pair From ec4458ca3a6af23cafc34919635ae81f90221d2a Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Tue, 17 Mar 2026 14:09:37 +0100 Subject: [PATCH 2/4] config: use param for latest checkout action version Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/guides/angular/configure-github-actions.md | 2 +- content/guides/gha.md | 4 ++-- content/guides/github-sonarqube-sandbox/customize.md | 4 ++-- content/guides/nodejs/configure-github-actions.md | 4 ++-- content/guides/python/configure-github-actions.md | 2 +- content/guides/reactjs/configure-github-actions.md | 2 +- content/guides/vuejs/configure-github-actions.md | 2 +- content/manuals/build/ci/github-actions/configure-builder.md | 2 +- content/manuals/build/ci/github-actions/secrets.md | 4 ++-- content/manuals/build/policies/usage.md | 2 +- content/manuals/dhi/how-to/scan.md | 2 +- hugo.yaml | 2 ++ 12 files changed, 17 insertions(+), 15 deletions(-) diff --git a/content/guides/angular/configure-github-actions.md b/content/guides/angular/configure-github-actions.md index 52e448521c..2aefdffc65 100644 --- a/content/guides/angular/configure-github-actions.md +++ b/content/guides/angular/configure-github-actions.md @@ -158,7 +158,7 @@ jobs: steps: # 1. Checkout source code - name: Checkout source code - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} with: fetch-depth: 0 diff --git a/content/guides/gha.md b/content/guides/gha.md index 84be2bcb24..06862c4c32 100644 --- a/content/guides/gha.md +++ b/content/guides/gha.md @@ -103,7 +103,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Extract Docker image metadata id: meta uses: docker/metadata-action@{{% param "metadata_action_version" %}} @@ -216,7 +216,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Extract Docker image metadata id: meta diff --git a/content/guides/github-sonarqube-sandbox/customize.md b/content/guides/github-sonarqube-sandbox/customize.md index 61b22c2134..60e14f5c55 100644 --- a/content/guides/github-sonarqube-sandbox/customize.md +++ b/content/guides/github-sonarqube-sandbox/customize.md @@ -62,7 +62,7 @@ jobs: quality: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@{{% param "checkout_action_version" %}} - uses: actions/setup-node@v4 with: node-version: "18" @@ -91,7 +91,7 @@ jobs: quality: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@{{% param "checkout_action_version" %}} - uses: actions/setup-python@v5 with: python-version: "3.8" diff --git a/content/guides/nodejs/configure-github-actions.md b/content/guides/nodejs/configure-github-actions.md index fc4e8e072f..94a6caca74 100644 --- a/content/guides/nodejs/configure-github-actions.md +++ b/content/guides/nodejs/configure-github-actions.md @@ -175,7 +175,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Set up Docker Buildx uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} @@ -220,7 +220,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Set up Docker Buildx uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} diff --git a/content/guides/python/configure-github-actions.md b/content/guides/python/configure-github-actions.md index 29578b77ed..4d09f6798f 100644 --- a/content/guides/python/configure-github-actions.md +++ b/content/guides/python/configure-github-actions.md @@ -63,7 +63,7 @@ jobs: lint-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Set up Python uses: actions/setup-python@v5 diff --git a/content/guides/reactjs/configure-github-actions.md b/content/guides/reactjs/configure-github-actions.md index c8de439ce2..f28c68f54b 100644 --- a/content/guides/reactjs/configure-github-actions.md +++ b/content/guides/reactjs/configure-github-actions.md @@ -158,7 +158,7 @@ jobs: steps: # 1. Checkout source code - name: Checkout source code - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} with: fetch-depth: 0 # Fetches full history for better caching/context diff --git a/content/guides/vuejs/configure-github-actions.md b/content/guides/vuejs/configure-github-actions.md index 634575fce5..0adffc4b54 100644 --- a/content/guides/vuejs/configure-github-actions.md +++ b/content/guides/vuejs/configure-github-actions.md @@ -158,7 +158,7 @@ jobs: steps: # 1. Checkout the codebase - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} with: fetch-depth: 0 diff --git a/content/manuals/build/ci/github-actions/configure-builder.md b/content/manuals/build/ci/github-actions/configure-builder.md index 995b4a9208..9ba2924536 100644 --- a/content/manuals/build/ci/github-actions/configure-builder.md +++ b/content/manuals/build/ci/github-actions/configure-builder.md @@ -266,7 +266,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Set up Docker Buildx uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} diff --git a/content/manuals/build/ci/github-actions/secrets.md b/content/manuals/build/ci/github-actions/secrets.md index 899f163cc0..42f2d83ab6 100644 --- a/content/manuals/build/ci/github-actions/secrets.md +++ b/content/manuals/build/ci/github-actions/secrets.md @@ -84,7 +84,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Set up Docker Buildx uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} @@ -135,7 +135,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Set up Docker Buildx uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} diff --git a/content/manuals/build/policies/usage.md b/content/manuals/build/policies/usage.md index ad941a6098..c7ba756161 100644 --- a/content/manuals/build/policies/usage.md +++ b/content/manuals/build/policies/usage.md @@ -306,7 +306,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@{{% param "checkout_action_version" %}} - uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} - name: Test build with policy run: docker buildx build --policy strict=true . diff --git a/content/manuals/dhi/how-to/scan.md b/content/manuals/dhi/how-to/scan.md index bca1ef1dad..b123cb4646 100644 --- a/content/manuals/dhi/how-to/scan.md +++ b/content/manuals/dhi/how-to/scan.md @@ -175,7 +175,7 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Set up Docker with containerd image store uses: docker/setup-docker-action@{{% param "setup_docker_action_version" %}} diff --git a/hugo.yaml b/hugo.yaml index 75a24ef6ce..aa133ac9c4 100644 --- a/hugo.yaml +++ b/hugo.yaml @@ -159,6 +159,8 @@ params: setup_docker_action_version: "v5" setup_qemu_action_version: "v4" github_builder_version: "v1" + # Generic actions + checkout_action_version: "v6" # Example runtime/library/os versions example_go_version: "1.25" From 73ad76be717ee870a4a80e5853d6311881c4f27d Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Tue, 17 Mar 2026 14:12:13 +0100 Subject: [PATCH 3/4] config: use param for latest cache action version Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/guides/angular/configure-github-actions.md | 4 ++-- content/guides/nodejs/configure-github-actions.md | 4 ++-- content/guides/reactjs/configure-github-actions.md | 4 ++-- content/guides/vuejs/configure-github-actions.md | 4 ++-- content/manuals/build/ci/github-actions/cache.md | 4 ++-- hugo.yaml | 1 + 6 files changed, 11 insertions(+), 10 deletions(-) diff --git a/content/guides/angular/configure-github-actions.md b/content/guides/angular/configure-github-actions.md index 2aefdffc65..a4571093f1 100644 --- a/content/guides/angular/configure-github-actions.md +++ b/content/guides/angular/configure-github-actions.md @@ -168,7 +168,7 @@ jobs: # 3. Cache Docker layers - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -177,7 +177,7 @@ jobs: # 4. Cache npm dependencies - name: Cache npm dependencies - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: ~/.npm key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} diff --git a/content/guides/nodejs/configure-github-actions.md b/content/guides/nodejs/configure-github-actions.md index 94a6caca74..1f21b8398e 100644 --- a/content/guides/nodejs/configure-github-actions.md +++ b/content/guides/nodejs/configure-github-actions.md @@ -181,7 +181,7 @@ jobs: uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} - name: Cache npm dependencies - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: ~/.npm key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} @@ -226,7 +226,7 @@ jobs: uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} diff --git a/content/guides/reactjs/configure-github-actions.md b/content/guides/reactjs/configure-github-actions.md index f28c68f54b..a74d319ed0 100644 --- a/content/guides/reactjs/configure-github-actions.md +++ b/content/guides/reactjs/configure-github-actions.md @@ -168,7 +168,7 @@ jobs: # 3. Cache Docker layers - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -176,7 +176,7 @@ jobs: # 4. Cache npm dependencies - name: Cache npm dependencies - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: ~/.npm key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} diff --git a/content/guides/vuejs/configure-github-actions.md b/content/guides/vuejs/configure-github-actions.md index 0adffc4b54..7df7f8dd29 100644 --- a/content/guides/vuejs/configure-github-actions.md +++ b/content/guides/vuejs/configure-github-actions.md @@ -168,7 +168,7 @@ jobs: # 3. Cache Docker layers - name: Cache Docker Layers - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -177,7 +177,7 @@ jobs: # 4. Cache npm dependencies - name: Cache npm Dependencies - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: ~/.npm key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} diff --git a/content/manuals/build/ci/github-actions/cache.md b/content/manuals/build/ci/github-actions/cache.md index 5073f185c5..8e7af62cc4 100644 --- a/content/manuals/build/ci/github-actions/cache.md +++ b/content/manuals/build/ci/github-actions/cache.md @@ -246,7 +246,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} - name: Go Build Cache for Docker - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: go-build-cache key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }} @@ -303,7 +303,7 @@ jobs: uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}} - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@{{% param "cache_action_version" %}} with: path: ${{ runner.temp }}/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} diff --git a/hugo.yaml b/hugo.yaml index aa133ac9c4..b0a88ebdb0 100644 --- a/hugo.yaml +++ b/hugo.yaml @@ -161,6 +161,7 @@ params: github_builder_version: "v1" # Generic actions checkout_action_version: "v6" + cache_action_version: "v5" # Example runtime/library/os versions example_go_version: "1.25" From 09b83b246f89742b0580335c005bb37f7077d16a Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Tue, 17 Mar 2026 14:12:50 +0100 Subject: [PATCH 4/4] chore: bump versions in sonarqube sandbox guide Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/guides/github-sonarqube-sandbox/customize.md | 8 ++++---- content/guides/python/configure-github-actions.md | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/content/guides/github-sonarqube-sandbox/customize.md b/content/guides/github-sonarqube-sandbox/customize.md index 60e14f5c55..5044fb05df 100644 --- a/content/guides/github-sonarqube-sandbox/customize.md +++ b/content/guides/github-sonarqube-sandbox/customize.md @@ -63,9 +63,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@{{% param "checkout_action_version" %}} - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 with: - node-version: "18" + node-version: "24" - run: npm install - run: npx tsx 06-quality-gated-pr.ts env: @@ -92,9 +92,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@{{% param "checkout_action_version" %}} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@v6 with: - python-version: "3.8" + python-version: "3.14" - run: pip install e2b python-dotenv - run: python 06_quality_gated_pr.py env: diff --git a/content/guides/python/configure-github-actions.md b/content/guides/python/configure-github-actions.md index 4d09f6798f..2ada187cad 100644 --- a/content/guides/python/configure-github-actions.md +++ b/content/guides/python/configure-github-actions.md @@ -66,9 +66,9 @@ jobs: - uses: actions/checkout@{{% param "checkout_action_version" %}} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: - python-version: '3.12' + python-version: '3.14' - name: Install dependencies run: |