Easier secret management for custom build commands

When using custom build commands in Truss, secrets are often needed; for instance, when installing a pip package from a private GitHub repository.

To solve this, you can now use the build.secret_to_path_mapping option in your Truss config file. This allows you to specify a path during your build where you can make the secret available.

Note that this mounts the secret during the build process only–after executing the commands, the secret will not be present on the built Docker image or in any of the Docker history.

To use this feature to install a pip package from a private GitHub repository, you can do the following in your config.yaml file:

build_commands:
  - pip install git+https://$(cat /root/my-github-access-token)@github.com/path/to-private-repo.git

build:
  secret_to_path_mapping:
    my-github-access-token: /root/my-github-access-token

secrets:
  my-github-access-token: null

In this example, we mount the secret my-github-access-token at the path /root/my-github-access-token. This allows us to access the value at that path. To use this, you'll have to create a Baseten secret called my-github-access-token.

Check out our docs for the full reference.