This topic has been discussed at length before, with different solutions1, but it still seems difficult re-assuring engineers that it's possible and safe to use secret environment variables during docker builds. It seems hotly debated if secrets should ever be in environment variables, with some saying all config goes in env2 and others doing their best to make it hard for people to use environment variables3.
Let's step through an example of how to use Docker secrets to create secure environment variables for npm during a Dockerfile build:
This example copies in a npm package.json and package-lock.json file, for use with npm ci
Note: The backslash in the echo command allows echo to write the envir