[v0.19.0] bake: cache-to/cache-from attributes output credentials with --print #2823
Description
also related to #2758
Give the following definition:
target "default" {
cache-from = [
"type=s3,region=eu-west-1,bucket=mybucket"
]
cache-to = [
"type=s3,region=eu-west-1,bucket=mybucket",
"type=inline"
]
}And using --print flag to output canonical representation:
$ AWS_ACCESS_KEY_ID=foo AWS_SECRET_ACCESS_KEY=bar docker buildx bake --print
#1 [internal] load local bake definitions
#1 reading docker-bake.hcl 266B / 266B done
#1 DONE 0.0s
{
"target": {
"default": {
"context": ".",
"dockerfile": "Dockerfile",
"cache-from": [
{
"access_key_id": "[REDACTED]",
"bucket": "mybucket",
"region": "eu-west-1",
"secret_access_key": "[REDACTED]",
"type": "s3"
},
{
"ref": "user/repo:cache",
"type": "registry"
}
],
"cache-to": [
{
"access_key_id": "[REDACTED]",
"bucket": "mybucket",
"region": "eu-west-1",
"secret_access_key": "[REDACTED]",
"type": "s3"
},
{
"type": "inline"
}
],
"output": [
{
"type": "cacheonly"
}
]
}
}
}
It prints the credentials where it should not (marked as [REDACTED].
With previous release:
$ AWS_ACCESS_KEY_ID=foo AWS_SECRET_ACCESS_KEY=bar docker buildx bake --print
#1 [internal] load local bake definitions
#1 reading ./__tests__/.fixtures/bake-03.hcl 266B / 266B done
#1 DONE 0.0s
{
"target": {
"default": {
"context": ".",
"dockerfile": "Dockerfile",
"cache-from": [
"type=s3,region=eu-west-1,bucket=mybucket",
"user/repo:cache"
],
"cache-to": [
"type=s3,region=eu-west-1,bucket=mybucket",
"type=inline"
],
"output": [
"type=cacheonly"
]
}
}
}
Didn't check if secret attributes behaves in a similar way.