Add validation for build secrets

shanejbrown · shanejbrown · commit 5c8e1c39d285 · 2025-04-11T11:41:03.000-06:00
diff --git a/README.rst b/README.rst
@@ -355,9 +355,9 @@ shows the different configuration options available:
         # More info about secrets: https://docs.docker.com/build/building/secrets/
         secrets:
           # Example of a secret that is a file
-          - id=secret1,src=examples/build/secrets/secret1.txt
+          - id=secret1,src=<path to the secret file>
           # Example of a secret that is an environment variable
-          - id=secret2,env=SECRET2
+          - id=secret2,env=<environment variable name>
 
 
 .. _Build Secrets:
diff --git a/buildrunner/config/models.py b/buildrunner/config/models.py
@@ -150,7 +150,7 @@ class Config(BaseModel, extra="forbid"):
 
     @field_validator("steps")
     @classmethod
-    def validate_steps(cls, vals) -> None:
+    def validate_steps(cls, vals, info) -> None:
         """
         Validate the config file
 
@@ -161,12 +161,20 @@ def validate_steps(cls, vals) -> None:
         if not vals:
             raise ValueError('The "steps" configuration was not provided')
 
-        # Checks to see if there is a mutli-platform build step in the config
+        # Checks steps for mutli-platform or secrets
         has_multi_platform_build = False
+        has_secrets = False
         for step in vals.values():
             has_multi_platform_build = (
                 has_multi_platform_build or step.is_multi_platform()
             )
+            has_secrets = has_secrets or step.has_secrets()
+
+        if has_secrets:
+            if info.data.get("use_legacy_builder"):
+                raise ValueError(
+                    "Build secrets are not supported with the legacy builder. Please set use-legacy-builder to false in order to use secrets in your build."
+                )
 
         if has_multi_platform_build:
             mp_push_tags = set()
diff --git a/buildrunner/config/models_step.py b/buildrunner/config/models_step.py
@@ -243,3 +243,9 @@ def is_multi_platform(self):
         Check if the step is a multi-platform build step
         """
         return self.build and self.build.platforms is not None
+
+    def has_secrets(self):
+        """
+        Check if the step has secrets
+        """
+        return self.build and self.build.secrets is not None
