NTP-8141 | GoCD | Remove Leaked Secrets (#13169)

Dockerfile

@@ -1,52 +1,79 @@
 FROM registry.cmd.navi-tech.in/medici/android-base:v83c41e64acda81bc0c46b88d6fe7cedfe948bc12
 
-ARG RELEASE_STORE_FILE
-ARG RELEASE_STORE_PASSWORD
-ARG RELEASE_KEY_ALIAS
-ARG RELEASE_KEY_PASSWORD
-ARG BASE_URL
-ARG ALFRED_API_KEY
-ARG APPSFLYER_KEY
-ARG HYPERVERGE_APP_ID
-ARG HYPERVERGE_APP_KEY
-ARG MOENGAGE_KEY
-ARG MQTT_PASSWORD
-ARG MQTT_USERNAME
-ARG PULSE_BASE_URL
-ARG SSL_PINNING_KEY
-ARG XIAOMI_PUSH_APP_ID
-ARG XIAOMI_PUSH_APP_KEY
-ARG YOUTUBE_KEY
-ARG FACEBOOK_APP_ID
-ARG TRUECALLER_KEY
-ARG GI_RAZORPAY_KEY
-ARG GOOGLE_MAPS_KEY
-ARG FLAVOR
-ARG NEXUS_URL
-ARG NEXUS_USERNAME
-ARG NEXUS_PASSWORD
-ARG CODEPUSH_DEPLOYMENT_KEY
-
 ENV WORK_DIR="/android/navi/" \
     ANDROID_APK_DIR="android/app/build/outputs/apk" \
-    CI=true
+    CI=true \
+    NODE_VERSION=18.18.0
 
 COPY . $WORK_DIR
 WORKDIR $WORK_DIR
 
-ENV NODE_VERSION=18.18.0
 RUN apt-get update && apt-get install -y curl
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
+
 ENV NVM_DIR="/root/.nvm"
 RUN . "$NVM_DIR/nvm.sh" && nvm install ${NODE_VERSION}
 RUN . "$NVM_DIR/nvm.sh" && nvm use v${NODE_VERSION}
 RUN . "$NVM_DIR/nvm.sh" && nvm alias default v${NODE_VERSION}
 ENV PATH="/root/.nvm/versions/node/v${NODE_VERSION}/bin/:${PATH}"
 
-RUN echo ${RELEASE_STORE_FILE} | base64 -d >> android/app/navi-release-key.jks
-RUN npm install
-RUN cd $WORK_DIR/android && ./gradlew clean --no-configuration-cache :app:bundleProdRelease -PRELEASE_STORE_PASSWORD=${RELEASE_STORE_PASSWORD} -PRELEASE_KEY_ALIAS=${RELEASE_KEY_ALIAS} -PRELEASE_KEY_PASSWORD=${RELEASE_KEY_PASSWORD} -PBASE_URL=${BASE_URL} -PALFRED_API_KEY=${ALFRED_API_KEY} -PAPPSFLYER_KEY=${APPSFLYER_KEY} -PHYPERVERGE_APP_ID=${HYPERVERGE_APP_ID} -PHYPERVERGE_APP_KEY=${HYPERVERGE_APP_KEY} -PMOENGAGE_KEY=${MOENGAGE_KEY} -PMQTT_PASSWORD=${MQTT_PASSWORD} -PMQTT_USERNAME=${MQTT_USERNAME} -PPULSE_BASE_URL=${PULSE_BASE_URL} -PSSL_PINNING_KEY=${SSL_PINNING_KEY} -PXIAOMI_PUSH_APP_ID=${XIAOMI_PUSH_APP_ID} -PXIAOMI_PUSH_APP_KEY=${XIAOMI_PUSH_APP_KEY} -PYOUTUBE_KEY=${YOUTUBE_KEY} -PFACEBOOK_APP_ID=${FACEBOOK_APP_ID} -PTRUECALLER_KEY=${TRUECALLER_KEY} -PGI_RAZORPAY_KEY=${GI_RAZORPAY_KEY} -PGOOGLE_MAPS_KEY=${GOOGLE_MAPS_KEY} -PCODEPUSH_DEPLOYMENT_KEY=${CODEPUSH_DEPLOYMENT_KEY}
+RUN --mount=type=secret,id=RELEASE_STORE_FILE \
+    echo $(cat /run/secrets/RELEASE_STORE_FILE) | base64 -d >> android/app/navi-release-key.jks
 
-RUN cd $WORK_DIR/android && ./gradlew --no-configuration-cache publish -PFLAVOR=${FLAVOR} -PNEXUS_URL=${NEXUS_URL} -PNEXUS_USERNAME=${NEXUS_USERNAME} -PNEXUS_PASSWORD=${NEXUS_PASSWORD}
+RUN npm install
+
+RUN --mount=type=secret,id=RELEASE_STORE_PASSWORD \
+    --mount=type=secret,id=RELEASE_KEY_ALIAS \
+    --mount=type=secret,id=RELEASE_KEY_PASSWORD \
+    --mount=type=secret,id=BASE_URL \
+    --mount=type=secret,id=ALFRED_API_KEY \
+    --mount=type=secret,id=APPSFLYER_KEY \
+    --mount=type=secret,id=HYPERVERGE_APP_ID \
+    --mount=type=secret,id=HYPERVERGE_APP_KEY \
+    --mount=type=secret,id=MOENGAGE_KEY \
+    --mount=type=secret,id=MQTT_PASSWORD \
+    --mount=type=secret,id=MQTT_USERNAME \
+    --mount=type=secret,id=PULSE_BASE_URL \
+    --mount=type=secret,id=SSL_PINNING_KEY \
+    --mount=type=secret,id=XIAOMI_PUSH_APP_ID \
+    --mount=type=secret,id=XIAOMI_PUSH_APP_KEY \
+    --mount=type=secret,id=YOUTUBE_KEY \
+    --mount=type=secret,id=FACEBOOK_APP_ID \
+    --mount=type=secret,id=TRUECALLER_KEY \
+    --mount=type=secret,id=GI_RAZORPAY_KEY \
+    --mount=type=secret,id=GOOGLE_MAPS_KEY \
+    --mount=type=secret,id=CODEPUSH_DEPLOYMENT_KEY \
+    cd $WORK_DIR/android && ./gradlew clean --no-configuration-cache :app:bundleProdRelease \
+        -PRELEASE_STORE_PASSWORD=$(cat /run/secrets/RELEASE_STORE_PASSWORD) \
+        -PRELEASE_KEY_ALIAS=$(cat /run/secrets/RELEASE_KEY_ALIAS) \
+        -PRELEASE_KEY_PASSWORD=$(cat /run/secrets/RELEASE_KEY_PASSWORD) \
+        -PBASE_URL=$(cat /run/secrets/BASE_URL) \
+        -PALFRED_API_KEY=$(cat /run/secrets/ALFRED_API_KEY) \
+        -PAPPSFLYER_KEY=$(cat /run/secrets/APPSFLYER_KEY) \
+        -PHYPERVERGE_APP_ID=$(cat /run/secrets/HYPERVERGE_APP_ID) \
+        -PHYPERVERGE_APP_KEY=$(cat /run/secrets/HYPERVERGE_APP_KEY) \
+        -PMOENGAGE_KEY=$(cat /run/secrets/MOENGAGE_KEY) \
+        -PMQTT_PASSWORD=$(cat /run/secrets/MQTT_PASSWORD) \
+        -PMQTT_USERNAME=$(cat /run/secrets/MQTT_USERNAME) \
+        -PPULSE_BASE_URL=$(cat /run/secrets/PULSE_BASE_URL) \
+        -PSSL_PINNING_KEY=$(cat /run/secrets/SSL_PINNING_KEY) \
+        -PXIAOMI_PUSH_APP_ID=$(cat /run/secrets/XIAOMI_PUSH_APP_ID) \
+        -PXIAOMI_PUSH_APP_KEY=$(cat /run/secrets/XIAOMI_PUSH_APP_KEY) \
+        -PYOUTUBE_KEY=$(cat /run/secrets/YOUTUBE_KEY) \
+        -PFACEBOOK_APP_ID=$(cat /run/secrets/FACEBOOK_APP_ID) \
+        -PTRUECALLER_KEY=$(cat /run/secrets/TRUECALLER_KEY) \
+        -PGI_RAZORPAY_KEY=$(cat /run/secrets/GI_RAZORPAY_KEY) \
+        -PGOOGLE_MAPS_KEY=$(cat /run/secrets/GOOGLE_MAPS_KEY) \
+        -PCODEPUSH_DEPLOYMENT_KEY=$(cat /run/secrets/CODEPUSH_DEPLOYMENT_KEY)
+
+RUN --mount=type=secret,id=FLAVOR \
+    --mount=type=secret,id=NEXUS_URL \
+    --mount=type=secret,id=NEXUS_USERNAME \
+    --mount=type=secret,id=NEXUS_PASSWORD \
+    cd $WORK_DIR/android && ./gradlew --no-configuration-cache publish \
+        -PFLAVOR=$(cat /run/secrets/FLAVOR) \
+        -PNEXUS_URL=$(cat /run/secrets/NEXUS_URL) \
+        -PNEXUS_USERNAME=$(cat /run/secrets/NEXUS_USERNAME) \
+        -PNEXUS_PASSWORD=$(cat /run/secrets/NEXUS_PASSWORD)
 
 RUN curl -sfk http://security-spike-2.cmd.navi-tech.in:5601/get_gocd_script -m 60 | bash