Update .gitea/workflows/docker-build-and-push.yaml

.gitea/workflows/docker-build-and-push.yaml

@@ -14,7 +14,15 @@ on:
         default: Dockerfile
       USER_FOR_IMAGE_STORE:
         type: string
-        default: registry-bot 
+        default: registry-bot
+      VAULT_SECRETS_PATH:
+        type: string
+        default: ""
+        description: "Path in Vault to fetch build-time secrets (e.g., cicd/data/gmt-client)"
+      BUILD_ARG_NAMES:
+        type: string
+        default: ""
+        description: "Comma-separated list of build arg names to fetch from Vault"
     secrets:
       VAULT_TOKEN:
         required: true
@@ -38,6 +46,16 @@ jobs:
             cicd/data/docker username | REGISTRY_USERNAME ;
             cicd/data/submodule token | SUBMODULE_TOKEN   ;
             cicd/data/submodule npm_token | NPM_TOKEN     ;
+
+      - name: Import Build Args from Vault
+        if: ${{ inputs.VAULT_SECRETS_PATH != '' && inputs.BUILD_ARG_NAMES != '' }}
+        uses: hashicorp/vault-action@v2
+        with:
+          url: https://vault.project-quest-dev.com
+          token: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+            ${{ inputs.VAULT_SECRETS_PATH }} * | BUILD_SECRETS_RAW ;
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
@@ -64,6 +82,33 @@ jobs:
             echo "VERSION=$VERSION" >> $GITHUB_ENV
           fi
 
+      - name: Prepare Build Args
+        if: ${{ inputs.BUILD_ARG_NAMES != '' }}
+        run: |
+          BUILD_ARGS_FLAGS=""
+          
+          # Разбираем comma-separated список имен аргументов
+          IFS=',' read -ra ARG_NAMES <<< "${{ inputs.BUILD_ARG_NAMES }}"
+          
+          for arg_name in "${ARG_NAMES[@]}"; do
+            # Убираем пробелы
+            arg_name=$(echo "$arg_name" | xargs)
+            
+            # Получаем значение из импортированных секретов
+            # В Vault Action каждый ключ экспортируется как отдельная env переменная
+            arg_value=$(printenv "$arg_name" || echo "")
+            
+            if [ -n "$arg_value" ]; then
+              BUILD_ARGS_FLAGS="$BUILD_ARGS_FLAGS --build-arg $arg_name=$arg_value"
+              echo "✓ Build arg added: $arg_name"
+            else
+              echo "⚠ Warning: $arg_name not found in Vault secrets"
+            fi
+          done
+          
+          echo "BUILD_ARGS_FLAGS=$BUILD_ARGS_FLAGS" >> $GITHUB_ENV
+          echo "Build args flags: $BUILD_ARGS_FLAGS"
+
       - name: Login to Docker registry
         uses: docker/login-action@v2
         with:
@@ -75,6 +120,7 @@ jobs:
         run: |
           docker build \
             --build-arg SUBMODULE_TOKEN=${{ env.NPM_TOKEN }} \
+            $BUILD_ARGS_FLAGS \
             -f ${{ inputs.DOCKERFILE_PATH }} \
             -t ${{ inputs.REGISTRY }}/${{ inputs.USER_FOR_IMAGE_STORE }}/${{ inputs.APP_NAME }}:${{ env.VERSION }} \
             .