# Using secrets with GitHub Actions A build secret is sensitive information, such as a password or API token, consumed as part of the build process. Docker Build supports two forms of secrets: - [Secret mounts](#secret-mounts) add secrets as files in the build container (under `/run/secrets` by default). - [SSH mounts](#ssh-mounts) add SSH agent sockets or keys into the build container. This page shows how to use secrets with GitHub Actions. For an introduction to secrets in general, see [Build secrets](/build/building/secrets/). ## Secret mounts In the following example uses and exposes the [`GITHUB_TOKEN` secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret) as provided by GitHub in your workflow. First, create a `Dockerfile` that uses the secret: ```dockerfile # syntax=docker/dockerfile:1 FROM alpine RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN ... ``` In this example, the secret name is `github_token`. The following workflow exposes this secret using the `secrets` input: ```yaml name: ci on: push: jobs: docker: runs-on: ubuntu-latest steps: - name: Set up QEMU uses: docker/setup-qemu-action@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 - name: Build uses: docker/build-push-action@v7 with: platforms: linux/amd64,linux/arm64 tags: user/app:latest secrets: | "github_token=${{ secrets.GITHUB_TOKEN }}" ``` > [!NOTE] > Secrets are mounted as files in the build container. > By default, they're available at `/run/secrets/`. > You can also use the `env` option to load a secret into an environment variable, > or the `target` option to customize the mount path. > For details on secret mounts, see [Build secrets](/build/building/secrets/). ### Using secret files The `secret-files` input lets you mount existing files as secrets in your build. This is useful when you need to use credential files that are generated during your workflow, or when you need to mount configuration files like `.npmrc` or `.pypirc` that are already in the expected format. The key difference between `secrets` and `secret-files`: - `secrets`: Pass secret values as strings (from environment variables or GitHub secrets) - `secret-files`: Mount existing files from the runner's filesystem #### Example: Using .npmrc for private npm packages If your build needs to install packages from a private npm registry, you can create an `.npmrc` file and mount it as a secret: ```yaml name: ci on: push: jobs: docker: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v6 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 - name: Create .npmrc file run: | echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc - name: Build uses: docker/build-push-action@v7 with: context: . secret-files: | npmrc=./.npmrc tags: user/app:latest ``` In your Dockerfile, mount the secret file to the expected location: ```dockerfile # syntax=docker/dockerfile:1 FROM node:20-alpine WORKDIR /app COPY package*.json ./ RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \ npm ci COPY . . RUN npm run build ``` #### Example: Using dynamically generated credentials You can generate credential files from multiple secrets and mount them: ```yaml name: ci on: push: jobs: docker: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v6 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 - name: Create credentials file run: | cat < aws-credentials [default] aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }} aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }} EOF - name: Build uses: docker/build-push-action@v7 with: context: . secret-files: | aws=./aws-credentials tags: user/app:latest ``` In your Dockerfile: ```dockerfile # syntax=docker/dockerfile:1 FROM alpine RUN apk add --no-cache aws-cli RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \ aws s3 cp s3://my-private-bucket/data.tar.gz /tmp/ ``` ### Multi-line secrets If you're using [GitHub secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) and need to handle multi-line value, you will need to place the key-value pair between quotes: ```yaml secrets: | "MYSECRET=${{ secrets.GPG_KEY }}" GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789 "MYSECRET=aaaaaaaa bbbbbbb ccccccccc" FOO=bar "EMPTYLINE=aaaa bbbb ccc" "JSON_SECRET={""key1"":""value1"",""key2"":""value2""}" ``` | Key | Value | | ---------------- | ----------------------------------- | | `MYSECRET` | `***********************` | | `GIT_AUTH_TOKEN` | `abcdefghi,jklmno=0123456789` | | `MYSECRET` | `aaaaaaaa\nbbbbbbb\nccccccccc` | | `FOO` | `bar` | | `EMPTYLINE` | `aaaa\n\nbbbb\nccc` | | `JSON_SECRET` | `{"key1":"value1","key2":"value2"}` | > [!NOTE] > > Double escapes are needed for quote signs. ## SSH mounts SSH mounts let you authenticate with SSH servers. For example to perform a `git clone`, or to fetch application packages from a private repository. The following Dockerfile example uses an SSH mount to fetch Go modules from a private GitHub repository. ```dockerfile {collapse=1} # syntax=docker/dockerfile:1 ARG GO_VERSION="1.25" FROM golang:${GO_VERSION}-alpine AS base ENV CGO_ENABLED=0 ENV GOPRIVATE="github.com/foo/*" RUN apk add --no-cache file git rsync openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts WORKDIR /src FROM base AS vendor # this step configure git and checks the ssh key is loaded RUN --mount=type=ssh <