feat: use docker buildx secret for token

container/onePollerPerContainer/Dockerfile

@@ -1,14 +1,13 @@
 # GO_VERSION should be overridden by the build script via --build-arg GO_VERSION=$value
 ARG GO_VERSION
-FROM golang:${GO_VERSION} as builder
+FROM golang:${GO_VERSION} AS builder
 
 SHELL ["/bin/bash", "-c"]
 
 ARG INSTALL_DIR=/opt/harvest
 ARG BUILD_DIR=/opt/home
 ARG VERSION=2.0
 ARG RELEASE=nightly
-ARG GIT_TOKEN
 ARG ASUP_MAKE_TARGET=build
 
 # Set the Current Working Directory inside the container
@@ -18,11 +17,13 @@ RUN mkdir -p $INSTALL_DIR $INSTALL_DIR/container/onePollerPerContainer $INSTALL_
 
 COPY . .
 
-RUN if [[ -n "$ASUP_MAKE_TARGET" && -n "$GIT_TOKEN" ]]; then \
-make build asup VERSION=$VERSION RELEASE=$RELEASE ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET GIT_TOKEN=$GIT_TOKEN ; \
-else \
-make build VERSION=$VERSION RELEASE=$RELEASE BIN_PLATFORM=linux ;\
-fi
+RUN --mount=type=secret,id=git_token \
+    if [[ -n "$ASUP_MAKE_TARGET" && -f "/run/secrets/git_token" ]]; then \
+    GIT_TOKEN=$(cat /run/secrets/git_token) && \
+    make build asup VERSION=$VERSION RELEASE=$RELEASE ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET GIT_TOKEN=$GIT_TOKEN ; \
+    else \
+    make build VERSION=$VERSION RELEASE=$RELEASE BIN_PLATFORM=linux ;\
+    fi
 
 RUN cp -a $BUILD_DIR/harvest.yml $INSTALL_DIR/harvest.yml.example
 
@@ -39,4 +40,4 @@ ENV HARVEST_DOCKER=yes
 COPY --from=builder $INSTALL_DIR $INSTALL_DIR
 WORKDIR $INSTALL_DIR
 
-ENTRYPOINT ["bin/poller"]
+ENTRYPOINT ["bin/poller"]

jenkins/artifacts/jenkinsfile

@@ -140,18 +140,26 @@ pipeline {
             }
       }
 
-        stage('Build Docker Image ') {
-                steps {
-                  withDockerRegistry([credentialsId: "DockerHub", url: ""]) {
-                    sh '''
-                    targetLocation=$targetParentLocation$VERSION-$RELEASE-$BRANCH
-                    docker login
-                    docker build -f container/onePollerPerContainer/Dockerfile --build-arg GO_VERSION=${GO_VERSION} --build-arg VERSION=$VERSION --build-arg RELEASE=$RELEASE --build-arg ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET --build-arg GIT_TOKEN=$GIT_TOKEN  -t ${imageName}:latest -t ${imageName}:$VERSION-$RELEASE -t ${jfrogImagePrefix}:latest -t ${jfrogImagePrefix}:$VERSION-$RELEASE -t ${ghcrImage}:latest -t ${ghcrImage}:$VERSION-$RELEASE . --no-cache
-                    docker save -o ${targetLocation}/docker_harvest.tar ${ghcrImage}:latest
-                    '''
-                  }
+        stage('Build Docker Image') {
+            steps {
+                withCredentials([string(credentialsId: 'GIT_TOKEN', variable: 'GIT_TOKEN')]) {
+                    script {
+                        // Write the GIT_TOKEN to a temporary file
+                        def gitTokenFile = "${env.WORKSPACE}/git_token"
+                        writeFile file: gitTokenFile, text: env.GIT_TOKEN
+
+                        withDockerRegistry([credentialsId: "DockerHub", url: ""]) {
+                            sh '''
+                            targetLocation=$targetParentLocation$VERSION-$RELEASE-$BRANCH
+                            docker login
+                            docker build --secret id=git_token,src=${gitTokenFile} -f container/onePollerPerContainer/Dockerfile --build-arg GO_VERSION=${GO_VERSION} --build-arg VERSION=$VERSION --build-arg RELEASE=$RELEASE --build-arg ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET -t ${imageName}:latest -t ${imageName}:$VERSION-$RELEASE -t ${jfrogImagePrefix}:latest -t ${jfrogImagePrefix}:$VERSION-$RELEASE -t ${ghcrImage}:latest -t ${ghcrImage}:$VERSION-$RELEASE . --no-cache
+                            docker save -o ${targetLocation}/docker_harvest.tar ${ghcrImage}:latest
+                            '''
+                        }
+                    }
                 }
-              }
+            }
+        }
 
          stage('Publish builds locally'){
           steps {
@@ -219,46 +227,55 @@ pipeline {
       }
 
       stage('Publish Nightly Build to GitHub') {
-        when {
-            expression {
-                return params.RELEASE == 'nightly' && env.BRANCH == 'main' && params.ASUP_MAKE_TARGET == 'production'
-            }
-        }
-        steps {
-           sh '''
-           targetLocation=$targetParentLocation$VERSION-$RELEASE-$BRANCH
-           wget -q -O /opt/home/gh.tar.gz "https://github.com/cli/cli/releases/download/v2.8.0/gh_2.8.0_linux_386.tar.gz"
-           tar -C /opt/home -xzf /opt/home/gh.tar.gz
-           echo $GIT_TOKEN > mytoken.txt
-           /opt/home/gh_2.8.0_linux_386/bin/gh auth login --with-token < mytoken.txt
-           /opt/home/gh_2.8.0_linux_386/bin/gh release view nightly && /opt/home/gh_2.8.0_linux_386/bin/gh release delete nightly || true
-           if [ $(git tag -l nightly) ]; then
-               git push https://[email protected]/NetApp/harvest.git --delete nightly
-           fi
-           /opt/home/gh_2.8.0_linux_386/bin/gh release create nightly $targetLocation/*.rpm $targetLocation/*.deb $targetLocation/*.gz --notes "Nightly builds may include bugs and other issues. You might want to use the stable releases instead." --title "Harvest Nightly Release" --prerelease --target main
-           docker build -f container/onePollerPerContainer/Dockerfile --build-arg GO_VERSION=${GO_VERSION} --build-arg VERSION=$VERSION --build-arg RELEASE=$RELEASE --build-arg ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET --build-arg GIT_TOKEN=$GIT_TOKEN  -t ${imageName}:latest -t ${imageName}:nightly -t ${jfrogImagePrefix}:latest -t ${jfrogImagePrefix}:nightly -t ${ghcrImage}:latest -t ${ghcrImage}:nightly . --no-cache
-           echo $GIT_TOKEN | docker login ghcr.io -u $DOCKERHUB_USERNAME --password-stdin
-           docker push ${ghcrImage}:nightly
-           # Add a dummy user/email for mike deploy to work
-           git config user.name harvest
-           git config user.email harvest
-           git fetch origin gh-pages:gh-pages
-           mike deploy -r https://[email protected]/NetApp/harvest.git --push --update-aliases nightly
-            '''
-          withDockerRegistry([credentialsId: "DockerHub", url: ""]) {
-            sh '''
-            docker login
-            docker push ${imageName}:nightly
-            '''
+          when {
+              expression {
+                  return params.RELEASE == 'nightly' && env.BRANCH == 'main' && params.ASUP_MAKE_TARGET == 'production'
+              }
           }
-          withCredentials([usernamePassword(credentialsId: 'Jfrog', passwordVariable: 'password', usernameVariable: 'username')]) {
-            sh '''
-            docker login --username=$username --password=$password ${jfrogRepo}
-            docker push ${jfrogImagePrefix}:nightly
-            '''
+          steps {
+              withCredentials([string(credentialsId: 'GIT_TOKEN', variable: 'GIT_TOKEN')]) {
+                  script {
+                      // Write the GIT_TOKEN to a temporary file
+                      def gitTokenFile = "${env.WORKSPACE}/git_token"
+                      writeFile file: gitTokenFile, text: env.GIT_TOKEN
+
+                      sh '''
+                      targetLocation=$targetParentLocation$VERSION-$RELEASE-$BRANCH
+                      wget -q -O /opt/home/gh.tar.gz "https://github.com/cli/cli/releases/download/v2.8.0/gh_2.8.0_linux_386.tar.gz"
+                      tar -C /opt/home -xzf /opt/home/gh.tar.gz
+                      echo $GIT_TOKEN > mytoken.txt
+                      /opt/home/gh_2.8.0_linux_386/bin/gh auth login --with-token < mytoken.txt
+                      /opt/home/gh_2.8.0_linux_386/bin/gh release view nightly && /opt/home/gh_2.8.0_linux_386/bin/gh release delete nightly || true
+                      if [ $(git tag -l nightly) ]; then
+                          git push https://[email protected]/NetApp/harvest.git --delete nightly
+                      fi
+                      /opt/home/gh_2.8.0_linux_386/bin/gh release create nightly $targetLocation/*.rpm $targetLocation/*.deb $targetLocation/*.gz --notes "Nightly builds may include bugs and other issues. You might want to use the stable releases instead." --title "Harvest Nightly Release" --prerelease --target main
+                      docker build --secret id=git_token,src=${gitTokenFile} -f container/onePollerPerContainer/Dockerfile --build-arg GO_VERSION=${GO_VERSION} --build-arg VERSION=$VERSION --build-arg RELEASE=$RELEASE --build-arg ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET -t ${imageName}:latest -t ${imageName}:nightly -t ${jfrogImagePrefix}:latest -t ${jfrogImagePrefix}:nightly -t ${ghcrImage}:latest -t ${ghcrImage}:nightly . --no-cache
+                      echo $GIT_TOKEN | docker login ghcr.io -u $DOCKERHUB_USERNAME --password-stdin
+                      docker push ${ghcrImage}:nightly
+                      # Add a dummy user/email for mike deploy to work
+                      git config user.name harvest
+                      git config user.email harvest
+                      git fetch origin gh-pages:gh-pages
+                      mike deploy -r https://[email protected]/NetApp/harvest.git --push --update-aliases nightly
+                      '''
+                      withDockerRegistry([credentialsId: "DockerHub", url: ""]) {
+                          sh '''
+                          docker login
+                          docker push ${imageName}:nightly
+                          '''
+                      }
+                      withCredentials([usernamePassword(credentialsId: 'Jfrog', passwordVariable: 'password', usernameVariable: 'username')]) {
+                          sh '''
+                          docker login --username=$username --password=$password ${jfrogRepo}
+                          docker push ${jfrogImagePrefix}:nightly
+                          '''
+                      }
+                  }
+              }
           }
-            }
-        }
+      }
+
     }