How to use secrets

Most operations in client support handling secrets (see Interacting with the client). More specifically, you can:

• Write a secret to a file;
• Read a secret from a file;
• Read a secret from an environment variable;
• Read a secret from the output of a command;
• Use a secret as the input of a command.

Environmnet

The simplest use case is reading from an environment variable:

dagger.#Plan & {
    client: env: GITHUB_TOKEN: dagger.#Secret
}

File

You may need to trim the whitespace, especially when reading from a file:

dagger.#Plan & {
    // Path may be absolute, or relative to current working directory
    client: filesystem: ".registry": read: {
        // CUE type defines expected content
        contents: dagger.#Secret
    }
    actions: {
        registry: dagger.#TrimSecret & {
            input: client.filesystem.".registry".read.contents
        }
        pull: docker.#Pull & {
            source: "registry.example.com/image"
            auth: {
                username: "_token_"
                secret:   registry.output
            }
        }
    }
}

SOPS

There’s many ways to store encrypted secrets in your git repository. If you use SOPS, here's a simple example where you can access keys from an encrypted yaml file:

secrets.yaml

myToken: ENC[AES256_GCM,data:AlUz7g==,iv:lq3mHi4GDLfAssqhPcuUIHMm5eVzJ/EpM+q7RHGCROU=,tag:dzbT5dEGhMnHbiRTu4bHdg==,type:str]
sops:
    ...

main.cue

dagger.#Plan & {
    client: commands: sops: {
        name: "sops"
        args: ["-d", "./secrets.yaml"]
        stdout: dagger.#Secret
    }

    actions: {
        // Makes the yaml keys easily accessible
        secrets: dagger.#DecodeSecret & {
            input:  client.commands.sops.stdout
            format: "yaml"
        }

        run: docker.#Run & {
            mounts: secret: {
                dest:     "/run/secrets/token"
                contents: secrets.output.myToken
            }
            // Do something with `/run/secrets/token`
        }
    }
}