Skip to content

Adding Docker Swarm secrets support #528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Adding Docker Swarm secrets support #528

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
174de59
Adding functionality to read docker secrets from secret files at cont…
sweco-semhul Nov 27, 2025
ece89bf
Adding documentation on docker secrets support in readme
sweco-semhul Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@ These containers are built via Github actions that [copy the dockerfile](https:/
| `DEBUG_OUTPUT` | Optional boolean to print additional debug output. Default: false |
| `UNSET_CONFIG_VARS` | Optional flag to unset all configuration environment variables after runner setup but before starting the runner. This prevents these variables from leaking into the workflow environment. Set to 'true' to enable. Defaults to 'false' for backward compatibility. |

## Docker Swarm Secrets ##

Docker Swarm secrets configuration is available to be configured for `ACCESS_TOKEN`, `RUNNER_TOKEN`, `APP_ID` and `APP_PRIVATE_KEY`.

If a docker secret is configured for the variable then that environment variable will be overrided.
See https://docs.docker.com/engine/swarm/secrets for more details on how to use secrets.

## Tests ##

Tests are written in [goss](https://github.com/goss-org/goss/) for general assertions.
Expand Down
15 changes: 15 additions & 0 deletions entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,21 @@
export RUNNER_ALLOW_RUNASROOT=1
export PATH=${PATH}:/actions-runner

# Function to read secrets from file in a Docker Swarm setup
Copy link
Owner

@myoung34 myoung34 Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Im ok with this if its in a new file secrets.sh

#!/usr/bin/env bash
set -euo pipefail

SECRETS_DIR="/run/secrets"

for secret_file in "$SECRETS_DIR"/*; do
  # Skip if no files matched
  [[ -e "$secret_file" ]] || continue

  secret_name=$(basename "$secret_file")
  env_var_name=$(echo "$secret_name" | tr '[:lower:]' '[:upper:]' | tr '-' '_')

  # Read the secret
  secret_value=$(cat "$secret_file")

  # Export it
  export "$env_var_name=$secret_value"

  echo "Loaded secret: $env_var_name"
done

echo "Docker Swarm secrets loaded."

Then in entrypoint.sh at the top: _DOCKER_SWARM_SECRETS_ENABLED=${DOCKER_SWARM_SECRETS_ENABLED:-false}

and somewhere furhter below:

if [[ "${_DOCKER_SWARM_SECRETS_ENABLED}" == "true" ]]; then
  echo "Docker Swarm secrets enabled — loading secrets..."
  /secrets.sh
fi

also dont forget to modify https://github.com/myoung34/docker-github-actions-runner/blob/master/Dockerfile#L22-L23 to add script.sh with +x but also mkdir -p /run/secrets as well somewhere

read_secret() {
local secret_name="$1"
local secret_file="/run/secrets/${secret_name}"
if [ -f "${secret_file}" ]; then
export "${secret_name}"="$(cat ${secret_file})"
fi
}

# Read Docker secrets if available
read_secret "ACCESS_TOKEN"
read_secret "RUNNER_TOKEN"
read_secret "APP_ID"
read_secret "APP_PRIVATE_KEY"

# Un-export these, so that they must be passed explicitly to the environment of
# any command that needs them. This may help prevent leaks.
export -n ACCESS_TOKEN
Expand Down