ARTICLE AD BOX
i am trying to optimize a Docker Multi-Stage build for a Laravel application that requires private GitHub packages. I have two main issues that I can't seem to solve efficiently:
Caching vs. Secrets: I’m using docker build-kit secrets (--mount=type=secret) to pass my GitHub Token for composer install. However, every time I change the secret or even some unrelated files, the composer install layer re-runs, which is very slow. How can I ensure that composer install stays cached as long as composer.lock hasn't changed, even when using secrets?
Secure Layering: I want to make sure the private repo credentials never end up in the final image or any intermediate layer history.
Here is my current Dockerfile structure:
Dockerfile # syntax=docker/dockerfile:1 FROM php:8.2-fpm-alpine AS builder WORKDIR /app # Install system dependencies RUN apk add --no-cache git unzip # Copy dependency files COPY composer.json composer.lock ./ # The problem layer: RUN --mount=type=secret,id=composer_auth,target=/root/.composer/auth.json \ composer install --no-dev --optimize-autoloader --no-scripts COPY . . # Final Stage FROM php:8.2-fpm-alpine COPY --from=builder /app /var/wwwMy questions:
Is there a specific way to mount the secret so it doesn't invalidate the cache unnecessarily?
Should I be using a separate RUN for a cache mount (type=cache,target=/root/.composer/cache) alongside the secret mount?
