From 2ca7b96e33288e08647cae36f286178e0fb61a1e Mon Sep 17 00:00:00 2001
From: Nicolas De Loof <nicolas.deloof@gmail.com>
Date: Mon, 22 Sep 2025 10:31:34 +0200
Subject: [PATCH] resolve secrets based on env var before executing bake

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
---
 pkg/compose/build_bake.go                     | 30 ++++++++++++++++---
 pkg/e2e/fixtures/build-test/secrets/.env      |  1 +
 .../fixtures/build-test/secrets/Dockerfile    |  4 +++
 .../fixtures/build-test/secrets/compose.yml   |  3 ++
 4 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 pkg/e2e/fixtures/build-test/secrets/.env

diff --git a/pkg/compose/build_bake.go b/pkg/compose/build_bake.go
index 13a334d8e..4c85556d3 100644
--- a/pkg/compose/build_bake.go
+++ b/pkg/compose/build_bake.go
@@ -176,6 +176,18 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
 		}
 	}
 
+	// tmpSecrets stores secret set by environment variables, so we don't have to "pollute" bake process's environment
+	tmpSecrets, err := os.MkdirTemp("", "secrets")
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		rerr := os.RemoveAll(tmpSecrets)
+		if rerr != nil {
+			logrus.Warnf("Failed to removed temporary secrets directory %s: %s", tmpSecrets, rerr.Error())
+		}
+	}()
+
 	for serviceName, service := range project.Services {
 		if service.Build == nil {
 			continue
@@ -231,6 +243,11 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
 		noCache := service.Build.NoCache || options.NoCache
 
 		target := targets[serviceName]
+
+		secrets, err := toBakeSecrets(project, build.Secrets, tmpSecrets)
+		if err != nil {
+			return nil, err
+		}
 		cfg.Targets[target] = bakeTarget{
 			Context:          build.Context,
 			Contexts:         additionalContexts(build.AdditionalContexts, targets),
@@ -245,7 +262,7 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
 			NetworkMode:  build.Network,
 			Platforms:    build.Platforms,
 			Target:       build.Target,
-			Secrets:      toBakeSecrets(project, build.Secrets),
+			Secrets:      secrets,
 			SSH:          toBakeSSH(append(build.SSH, options.SSHs...)),
 			Pull:         pull,
 			NoCache:      noCache,
@@ -454,7 +471,7 @@ func toBakeSSH(ssh types.SSHConfig) []string {
 	return s
 }
 
-func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig) []string {
+func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig, tmpSecrets string) ([]string, error) {
 	var s []string
 	for _, ref := range secrets {
 		def := project.Secrets[ref.Source]
@@ -464,12 +481,17 @@ func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig)
 		}
 		switch {
 		case def.Environment != "":
-			s = append(s, fmt.Sprintf("id=%s,type=env,env=%s", target, def.Environment))
+			sf := filepath.Join(tmpSecrets, def.Environment)
+			err := os.WriteFile(sf, []byte(project.Environment[def.Environment]), 0o600)
+			if err != nil {
+				return nil, err
+			}
+			s = append(s, fmt.Sprintf("id=%s,type=file,src=%s", target, sf))
 		case def.File != "":
 			s = append(s, fmt.Sprintf("id=%s,type=file,src=%s", target, def.File))
 		}
 	}
-	return s
+	return s, nil
 }
 
 func toBakeAttest(build types.BuildConfig) []string {
diff --git a/pkg/e2e/fixtures/build-test/secrets/.env b/pkg/e2e/fixtures/build-test/secrets/.env
new file mode 100644
index 000000000..9f8bc4f5d
--- /dev/null
+++ b/pkg/e2e/fixtures/build-test/secrets/.env
@@ -0,0 +1 @@
+ANOTHER_SECRET=zot
\ No newline at end of file
diff --git a/pkg/e2e/fixtures/build-test/secrets/Dockerfile b/pkg/e2e/fixtures/build-test/secrets/Dockerfile
index bd5e12f1b..336673b05 100644
--- a/pkg/e2e/fixtures/build-test/secrets/Dockerfile
+++ b/pkg/e2e/fixtures/build-test/secrets/Dockerfile
@@ -24,3 +24,7 @@ RUN diff /tmp/expected /tmp/actual
 RUN echo "bar" > /tmp/expected
 RUN --mount=type=secret,id=build_secret cat /run/secrets/build_secret > tmp/actual
 RUN diff --ignore-all-space /tmp/expected /tmp/actual
+
+RUN echo "zot" > /tmp/expected
+RUN --mount=type=secret,id=dotenvsecret cat /run/secrets/dotenvsecret > tmp/actual
+RUN diff --ignore-all-space /tmp/expected /tmp/actual
diff --git a/pkg/e2e/fixtures/build-test/secrets/compose.yml b/pkg/e2e/fixtures/build-test/secrets/compose.yml
index c8e794c20..f041acf61 100644
--- a/pkg/e2e/fixtures/build-test/secrets/compose.yml
+++ b/pkg/e2e/fixtures/build-test/secrets/compose.yml
@@ -5,6 +5,7 @@ services:
       context: .
       secrets:
         - mysecret
+        - dotenvsecret
         - source: envsecret
           target: build_secret
 
@@ -13,3 +14,5 @@ secrets:
     file: ./secret.txt
   envsecret:
     environment: SOME_SECRET
+  dotenvsecret:
+    environment: ANOTHER_SECRET