centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-27 06:18:55 +07:00
Code Issues Packages Projects Releases Wiki Activity

Simplify secret mount explanation with cross-reference

Browse Source 
Replace detailed explanation of secret mount behavior with brief
callout that cross-references the canonical Build secrets documentation.

This avoids duplicating content that's already covered in detail at
/manuals/build/building/secrets.md and keeps the GitHub Actions page
focused on the GitHub Actions-specific usage patterns.

Assisted-By: docker-agent
This commit is contained in:
David Karlsson
2026-03-20 11:43:37 +00:00
parent cc9469622c
commit 292d43302d
1 changed files with 6 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
content/manuals/build/ci/github-actions/secrets.md
View File

@@ -57,51 +57,12 @@ jobs:
"github_token=${{ secrets.GITHUB_TOKEN }}"
```
### How secrets appear in the build container
When you use a secret mount, the secret is made available as a file inside the build container.
By default, secrets are mounted to `/run/secrets/<id>`, where `<id>` is the secret identifier
you specify in the `--mount` instruction.
For more details on secret mounts, file locations, and permissions,
see [Secret mounts](/manuals/build/building/secrets.md#secret-mounts).
**File location:**
- Default path: `/run/secrets/<id>` (for example, `/run/secrets/github_token`)
- Custom path: Use the `target` option to specify a different location
**Environment variable secrets:**
When you use the `env` option in your secret mount
(like `--mount=type=secret,id=github_token,env=GITHUB_TOKEN`),
the secret file content is automatically loaded into the specified environment variable.
This is useful when tools expect credentials via environment variables rather than files.
**Example with custom target:**
```dockerfile
# syntax=docker/dockerfile:1
FROM alpine
# Mount secret to a custom location and use it with curl
RUN --mount=type=secret,id=github_token,target=/tmp/token \
curl -H "Authorization: token $(cat /tmp/token)" https://api.github.com/user
```
**Example using secret as environment variable:**
```dockerfile
# syntax=docker/dockerfile:1
FROM alpine
# Load secret into environment variable
RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \
curl -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/user
```
> [!WARNING]
> Never use commands like `cat`, `echo`, or `printenv` to output secret values directly,
> as this would expose them in build logs and layer history.
> Always consume secrets within commands without displaying their values.
> [!NOTE]
> Secrets are mounted as files in the build container.
> By default, they're available at `/run/secrets/<id>`.
> You can also use the `env` option to load a secret into an environment variable,
> or the `target` option to customize the mount path.
> For details on secret mounts, see [Build secrets](/manuals/build/building/secrets.md).
### Using secret files