ARG and ENV used for sensitive data

[hsellik]

🐛 Bug Report

The docs suggest to pass TURBO_TOKEN as ARG, which gives off a warning:

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "TURBO_TOKEN")
SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "TURBO_TOKEN")

This results in TURBO_TOKEN being persisted inside (multi-stage) images according to docs: https://docs.docker.com/reference/build-checks/secrets-used-in-arg-or-env/

To Reproduce

Run the docker build as currently suggested in docs.

Expected behavior

The TURBO_TOKEN is passed as a secret, while the other environment variables which are not so sensitive can be passed as environment variables.

Essentially, it would look something like this

Dockerfile:

ARG TURBO_TEAM
ENV TURBO_TEAM=$TURBO_TEAM

RUN --mount=type=secret,id=TURBO_TOKEN \
    export TURBO_TOKEN=$(cat /run/secrets/TURBO_TOKEN) && \
    pnpm turbo build

Command:

# TURBO_TOKEN is preferrably set from CI secrets, not plain text
export TURBO_TOKEN=myGeneratedToken
docker buildx build --progress=plain --platform linux/amd64,linux/arm64 -f Dockerfile . --build-arg TURBO_TEAM=“ducktors” --build-arg --secret id=TURBO_TOKEN --no-cache 

More info on secrets here: https://docs.docker.com/build/building/secrets/

Feel free to close the issue if you don't think it's a problem.

Your Environment

• OS: Mac
• Cloud Vendor: None
• Turbo Version: 2.0.12