Secrets (file and env forms) • Yamlfile

Yamlfile supports BuildKit’s native secret mounts in a declarative way.

- run:
    script: ./scripts/push-to-registry.sh
    secrets:
      - id: registry_token
        env: REGISTRY_TOKEN          # injected only for this run

      - id: netrc
        target: /root/.netrc         # file form
        mode: 0600
        optional: true

File form vs. Env form#

target: (or omitting it) → secret appears as a file (default location /run/secrets/<id>).
env: → secret is exported as an environment variable inside the RUN (the value is masked in logs by BuildKit).

Both map directly to BuildKit’s --mount=type=secret mechanism (file mount or env= form).

Supplying secrets at build time#

docker buildx build ... \
  --secret id=registry_token,env=REGISTRY_TOKEN \
  --secret id=netrc,src=$HOME/.netrc-for-build

See the Syntax Reference for the full SecretMount options (optional, mode, uid, gid).

Secrets are never present in the final image layers or history when used correctly.