Skip to content

Update Artifactory packages pull-through guide to use Docker build secrets#3304

Merged
matthewhelmke merged 1 commit into
chainguard-dev:mainfrom
matthewhelmke:donothardcode
May 11, 2026
Merged

Update Artifactory packages pull-through guide to use Docker build secrets#3304
matthewhelmke merged 1 commit into
chainguard-dev:mainfrom
matthewhelmke:donothardcode

Conversation

@matthewhelmke
Copy link
Copy Markdown
Collaborator

@matthewhelmke matthewhelmke commented May 8, 2026
edited
Loading

Summary

  • Replaces hardcoded Artifactory tokens in /etc/apk/repositories with Docker build secrets (--mount=type=secret), preventing tokens from being stored in image layers or appearing in docker history
  • Combines repository configuration, package installation, and cleanup into a single RUN instruction so credentials never persist in a layer
  • Updates docker build commands to pass tokens via --secret id=...,env=... and non-sensitive config via --build-arg
  • Applies the same pattern to both the private APK (cg-private) and public repo (cg-chainguard, cg-extras) Dockerfiles

Fixes: chainguard-dev/internal#5839

Test plan

  • Verify Dockerfiles render correctly in the site preview
  • Confirm the <<'EOF' heredoc syntax is accurate (single-quoted to prevent shell expansion)
  • Spot-check that --secret id=...,env=... and --mount=type=secret syntax is correct for current Docker Buildx
  • Review for tone and style consistency with surrounding content

🤖 Generated with Claude Code

@matthewhelmke @claude
Update Artifactory packages pull-through guide to use Docker build se…
0f3af1c 
…crets

Replace hardcoded Artifactory tokens in /etc/apk/repositories with
Docker build secrets, preventing tokens from being stored in image layers
or build history. Resolves internal#5839.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewhelmke matthewhelmke requested a review from a team as a code owner May 8, 2026 12:30
@netlify
Copy link
Copy Markdown

netlify Bot commented May 8, 2026
edited
Loading

Deploy Preview for ornate-narwhal-088216 ready!

Name Link
🔨 Latest commit 0f3af1c
🔍 Latest deploy log https://app.netlify.com/projects/ornate-narwhal-088216/deploys/69fdd75823980e0008512168
😎 Deploy Preview https://deploy-preview-3304--ornate-narwhal-088216.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@matthewhelmke matthewhelmke self-assigned this May 8, 2026
@matthewhelmke matthewhelmke merged commit 8f7f425 into chainguard-dev:main May 11, 2026
8 checks passed
@matthewhelmke matthewhelmke deleted the donothardcode branch May 11, 2026 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonbishay jasonbishay jasonbishay approved these changes

@s-stumbo s-stumbo s-stumbo approved these changes

Assignees

@matthewhelmke matthewhelmke

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@matthewhelmke @jasonbishay @s-stumbo