Alois Klink
Using
ARG
in a
Dockerfile
isn't recommended for passing secrets and is considered an anti-pattern (see big warning in https://docs.docker.com/reference/dockerfile/#arg)
Instead, it is recommended to use
RUN --mount=type=secret
.
This also applies to
Containerfile
and
podman
.
Is it possible to add support for this? In the app spec, maybe instead of having
scope: BUILD_TIME
, we could have something like
BUILD_TIME_SECRET
to differentiate whether something is passed as a
ARG
or as a
secret
.