Production ENV file with docker/build-push-action and GitHub Actions

Question

I have the following docker/build-push-action job that runs in my GitHub actions when a release tag is created.

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      -
        name: Login to DockerHub
        uses: docker/login-action@v1 
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}
      -
        name: Build and push
        id: docker_build
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: user/repo:latest
      -
        name: Image digest
        run: echo ${{ steps.docker_build.outputs.digest }}

In my Dockerfile I have a task that takes .env.production and makes it .env.

COPY .env.production .env

This obviously fails because .env.production is not included in Git.

My question is, how do I get a similar thing to happen in my GitHub actions? I thought about creating the env file before Build and push but I think that task pulls from main in a docker container so won't actually see my created file? Or if anything overwrite it.

What is the best way to achieve this?

Thanks in advance

Answer 1

This is what I came up with.

Dockerfile

...
ARG ARG_ENV_SECRET
ARG ARG_ENV_SECRET_1
COPY ./env-script.sh ./
RUN ./env-script.sh
...

env-script.sh This script creates the .env FILE

#!/bin/sh

touch .env
{
  printf "ENV_SECRET=%sENV_SECRET_1=%s" "$ARG_ENV_SECRET" "ARG_ENV_SECRET_1"
} >> .env

docker-action.yml

...

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Build, tag, and push the image to Amazon ECR
        id: build-image
        env:
          ENV_SECRET: ${{ secrets.ENV_SECRET }} #naming used below
          ENV_SECRET_1: ${{ secrets.ENV_SECRET_1 }}
        run: |
          docker \ 
           --build-arg ARG_ENV_SECRET=$ENV_SECRET #name declared above
           --build-arg ARG_ENV_SECRET_1=$ENV_SECRET_1
          build .
...

I'm pretty sure this is not the best route but it's worked for us since we use a third party to run our AWS services. A better approach would be to use AWS secrets when starting the instance. You can read more about it here.