From 6dfaeda3e99868dff3619f7a0b5767ef82dd93e7 Mon Sep 17 00:00:00 2001
From: Luiz Carvalho <luizcmpc@gmail.com>
Date: Tue, 24 Dec 2024 19:27:20 -0300
Subject: [PATCH] chore: move aws key to secrets

---
 .github/workflows/build-docker.yml | 5 +++--
 docker/node.dockerfile             | 9 +++++----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 96aca65..3f67f1b 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -35,13 +35,14 @@ jobs:
         run: echo "SANITIZED_REF=$(echo "${GITHUB_REF##*/}" | tr '/' '-')" >> $GITHUB_ENV
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          build-args: |
+          secret-envs: |
             AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
             AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          build-args: |
             SCCACHE_BUCKET=torus-substrate-cache
             SCCACHE_ENDPOINT=${{ secrets.SCCACHE_ENDPOINT }}
             SCCACHE_REGION=auto
diff --git a/docker/node.dockerfile b/docker/node.dockerfile
index 62a5656..6cd392e 100644
--- a/docker/node.dockerfile
+++ b/docker/node.dockerfile
@@ -1,7 +1,5 @@
 FROM debian:12-slim AS builder
 
-ARG AWS_ACCESS_KEY_ID
-ARG AWS_SECRET_ACCESS_KEY
 ARG SCCACHE_BUCKET
 ARG SCCACHE_ENDPOINT
 ARG SCCACHE_REGION=auto
@@ -26,7 +24,9 @@ ENV PATH=/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbi
 RUN curl https://sh.rustup.rs -sSf | \
     sh -s -- -y --profile=minimal --default-toolchain=1.82.0
 
-RUN if [ -n "$AWS_ACCESS_KEY_ID" ]; then \
+RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \
+    --mount=type=secret,id=aws-secret-key,env=AWS_SECRET_ACCESS_KEY \
+    if [ -n "$AWS_ACCESS_KEY_ID" ]; then \
         curl https://github.com/mozilla/sccache/releases/download/v0.9.0/sccache-v0.9.0-x86_64-unknown-linux-musl.tar.gz \
             -Lo sccache-v0.9.0-x86_64-unknown-linux-musl.tar.gz && \
         tar -xzf sccache-v0.9.0-x86_64-unknown-linux-musl.tar.gz --strip-components=1 \
@@ -36,7 +36,8 @@ RUN if [ -n "$AWS_ACCESS_KEY_ID" ]; then \
     fi && \
     cargo build -p torus-node --release --locked
 
-RUN if [ -n "$AWS_ACCESS_KEY_ID" ]; then \
+RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \
+    if [ -n "$AWS_ACCESS_KEY_ID" ]; then \
         ./sccache --show-stats; \
     fi