From ed5c12ccf87dca2d1efcd338eff9bac3ce71c3aa Mon Sep 17 00:00:00 2001
From: "Dario G. Mori" <dario@resiz.es>
Date: Fri, 27 Feb 2026 16:02:05 +0100
Subject: [PATCH 1/4] feat: using secrets for building

---
 deploy/build-push-docker-ecr/action.yml | 39 +++++++++++++++++++++----
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/deploy/build-push-docker-ecr/action.yml b/deploy/build-push-docker-ecr/action.yml
index c397c54..97e873e 100644
--- a/deploy/build-push-docker-ecr/action.yml
+++ b/deploy/build-push-docker-ecr/action.yml
@@ -29,6 +29,10 @@ inputs:
   cache_key_prefix:
     description: "Prefix for cache key"
     default: "docker-layers"
+  
+  secrets_input:
+    description: "Comma-separated list of secret names and their env vars (format: secret_id=env_var)"
+    default: ""
 
 runs:
   using: "composite"
@@ -61,14 +65,37 @@ runs:
 
     - name: Build, tag, and push client docker image to Amazon ECR
       shell: bash
+      env:
+        SECRETS_INPUT: ${{ inputs.secrets_input }}
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        ECR_REPOSITORY: ${{ inputs.ecr_repository }}
+        DOCKER_IMAGE_TAG: ${{ inputs.docker_image_tag }}
       run: |
-        docker buildx create --use --name=cache-builder
-        docker buildx build --push \
-          --platform ${{ inputs.docker_platforms }} \
-          -t ${{ inputs.ecr_repository }}:${{ inputs.docker_image_tag }} \
-          --cache-from type=local,src=/tmp/.buildx-cache \
-          --cache-to type=local,dest=/tmp/.buildx-cache-new,mode=max \
+        # Build the secrets arguments
+        SECRETS_ARGS=""
+        if [ -n "$SECRETS_INPUT" ]; then
+          IFS=',' read -ra SECRETS <<< "$SECRETS_INPUT"
+          for secret_pair in "${SECRETS[@]}"; do
+            secret_pair=$(echo "$secret_pair" | xargs)  # Trim whitespace
+            # Split by = to get secret_id and env_var
+            IFS='=' read -r secret_id env_var <<< "$secret_pair"
+            if [ -n "$secret_id" ] && [ -n "$env_var" ]; then
+              SECRETS_ARGS="$SECRETS_ARGS --secret id=$secret_id,env=$env_var"
+            fi
+          done
+        fi
+        
+        # Create and use buildx builder
+        docker buildx create --use
+        
+        # Build and push the image
+        docker buildx build \
           -f ${{ inputs.dockerfile_path }} \
+          --platform ${{ inputs.docker_platforms }} \
+          --progress=plain \
+          $SECRETS_ARGS \
+          --push \
+          -t $ECR_REGISTRY/$ECR_REPOSITORY:$DOCKER_IMAGE_TAG \
           .
 
     - name: Move cache

From a686f48a8fd7e56e3e1608e24ba0508ab0c198a0 Mon Sep 17 00:00:00 2001
From: "Dario G. Mori" <dario@resiz.es>
Date: Fri, 27 Feb 2026 16:34:23 +0100
Subject: [PATCH 2/4] fix: putting cache back

---
 deploy/build-push-docker-ecr/action.yml | 33 +++++--------------------
 1 file changed, 6 insertions(+), 27 deletions(-)

diff --git a/deploy/build-push-docker-ecr/action.yml b/deploy/build-push-docker-ecr/action.yml
index 97e873e..05ba27c 100644
--- a/deploy/build-push-docker-ecr/action.yml
+++ b/deploy/build-push-docker-ecr/action.yml
@@ -29,10 +29,6 @@ inputs:
   cache_key_prefix:
     description: "Prefix for cache key"
     default: "docker-layers"
-  
-  secrets_input:
-    description: "Comma-separated list of secret names and their env vars (format: secret_id=env_var)"
-    default: ""
 
 runs:
   using: "composite"
@@ -71,31 +67,14 @@ runs:
         ECR_REPOSITORY: ${{ inputs.ecr_repository }}
         DOCKER_IMAGE_TAG: ${{ inputs.docker_image_tag }}
       run: |
-        # Build the secrets arguments
-        SECRETS_ARGS=""
-        if [ -n "$SECRETS_INPUT" ]; then
-          IFS=',' read -ra SECRETS <<< "$SECRETS_INPUT"
-          for secret_pair in "${SECRETS[@]}"; do
-            secret_pair=$(echo "$secret_pair" | xargs)  # Trim whitespace
-            # Split by = to get secret_id and env_var
-            IFS='=' read -r secret_id env_var <<< "$secret_pair"
-            if [ -n "$secret_id" ] && [ -n "$env_var" ]; then
-              SECRETS_ARGS="$SECRETS_ARGS --secret id=$secret_id,env=$env_var"
-            fi
-          done
-        fi
-        
-        # Create and use buildx builder
-        docker buildx create --use
-        
-        # Build and push the image
-        docker buildx build \
-          -f ${{ inputs.dockerfile_path }} \
+        docker buildx create --use --name=cache-builder
+        docker buildx build --push \
           --platform ${{ inputs.docker_platforms }} \
-          --progress=plain \
+          -t ${{ inputs.ecr_repository }}:${{ inputs.docker_image_tag }} \
           $SECRETS_ARGS \
-          --push \
-          -t $ECR_REGISTRY/$ECR_REPOSITORY:$DOCKER_IMAGE_TAG \
+          --cache-from type=local,src=/tmp/.buildx-cache \
+          --cache-to type=local,dest=/tmp/.buildx-cache-new,mode=max \
+          -f ${{ inputs.dockerfile_path }} \
           .
 
     - name: Move cache

From 49ddd738f95c04d0dd643a807c08790a4cc88aac Mon Sep 17 00:00:00 2001
From: "Dario G. Mori" <dario@resiz.es>
Date: Fri, 27 Feb 2026 16:38:44 +0100
Subject: [PATCH 3/4] fix: building secrets args again

---
 deploy/build-push-docker-ecr/action.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/deploy/build-push-docker-ecr/action.yml b/deploy/build-push-docker-ecr/action.yml
index 05ba27c..e6b1b1d 100644
--- a/deploy/build-push-docker-ecr/action.yml
+++ b/deploy/build-push-docker-ecr/action.yml
@@ -67,6 +67,20 @@ runs:
         ECR_REPOSITORY: ${{ inputs.ecr_repository }}
         DOCKER_IMAGE_TAG: ${{ inputs.docker_image_tag }}
       run: |
+        # Build the secrets arguments
+        SECRETS_ARGS=""
+        if [ -n "$SECRETS_INPUT" ]; then
+          IFS=',' read -ra SECRETS <<< "$SECRETS_INPUT"
+          for secret_pair in "${SECRETS[@]}"; do
+            secret_pair=$(echo "$secret_pair" | xargs)  # Trim whitespace
+            # Split by = to get secret_id and env_var
+            IFS='=' read -r secret_id env_var <<< "$secret_pair"
+            if [ -n "$secret_id" ] && [ -n "$env_var" ]; then
+              SECRETS_ARGS="$SECRETS_ARGS --secret id=$secret_id,env=$env_var"
+            fi
+          done
+        fi
+        
         docker buildx create --use --name=cache-builder
         docker buildx build --push \
           --platform ${{ inputs.docker_platforms }} \

From 20a9407e1f78431005a52d0bc2e43c2a38c4a02d Mon Sep 17 00:00:00 2001
From: "Dario G. Mori" <dario@resiz.es>
Date: Fri, 27 Feb 2026 16:54:23 +0100
Subject: [PATCH 4/4] fix: adding missing secrets_input

---
 deploy/build-push-docker-ecr/action.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/deploy/build-push-docker-ecr/action.yml b/deploy/build-push-docker-ecr/action.yml
index e6b1b1d..0ae4f9c 100644
--- a/deploy/build-push-docker-ecr/action.yml
+++ b/deploy/build-push-docker-ecr/action.yml
@@ -29,6 +29,10 @@ inputs:
   cache_key_prefix:
     description: "Prefix for cache key"
     default: "docker-layers"
+  
+  secrets_input:
+    description: "Comma-separated list of secret names and their env vars (format: secret_id=env_var)"
+    default: ""
 
 runs:
   using: "composite"
@@ -80,7 +84,7 @@ runs:
             fi
           done
         fi
-        
+
         docker buildx create --use --name=cache-builder
         docker buildx build --push \
           --platform ${{ inputs.docker_platforms }} \