From 47c00d78bfb0dbb514c150a184f4336e812147a6 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sun, 9 Oct 2022 17:39:54 +0200
Subject: [PATCH] ci: secret job to check for invalid secrets

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 .github/workflows/ci.yml | 23 +++++++++++++++++++++++
 __tests__/buildx.test.ts |  3 +--
 test/secret.Dockerfile   |  4 ++++
 3 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 test/secret.Dockerfile

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a09b041..222e971 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -302,6 +302,29 @@ jobs:
         run: |
           docker image inspect myimage:latest
 
+  secret:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: .
+          file: ./test/secret.Dockerfile
+          secrets: |
+            MYSECRET=foo
+            INVALID_SECRET=
+
   network:
     runs-on: ubuntu-latest
     steps:
diff --git a/__tests__/buildx.test.ts b/__tests__/buildx.test.ts
index ecfd9fa..81b7aba 100644
--- a/__tests__/buildx.test.ts
+++ b/__tests__/buildx.test.ts
@@ -137,8 +137,7 @@ describe('getSecret', () => {
       }
       expect(true).toBe(!invalid);
       expect(secret).toEqual(`id=${exKey},src=${tmpNameSync}`);
-      const secretValue = await fs.readFileSync(tmpNameSync, 'utf-8');
-      expect(secretValue).toEqual(exValue);
+      expect(fs.readFileSync(tmpNameSync, 'utf-8')).toEqual(exValue);
     } catch (err) {
       // eslint-disable-next-line jest/no-conditional-expect
       expect(true).toBe(invalid);
diff --git a/test/secret.Dockerfile b/test/secret.Dockerfile
new file mode 100644
index 0000000..9fae384
--- /dev/null
+++ b/test/secret.Dockerfile
@@ -0,0 +1,4 @@
+# syntax=docker/dockerfile:1
+FROM busybox
+RUN --mount=type=secret,id=MYSECRET \
+  echo "MYSECRET=$(cat /run/secrets/MYSECRET)"