moby · crazy-max · Mar 12, 2025 · Mar 11, 2025
diff --git a/frontend/gateway/container/container.go b/frontend/gateway/container/container.go
@@ -389,14 +389,11 @@ func (gwCtr *gatewayContainer) loadSecretEnv(ctx context.Context, secretEnv []*p
 		err = gwCtr.sm.Any(ctx, gwCtr.group, func(ctx context.Context, _ string, caller session.Caller) error {
 			dt, err = secrets.GetSecret(ctx, caller, id)
 			if err != nil {
-				if errors.Is(err, secrets.ErrNotFound) && sopt.Optional {
-					return nil
-				}
 				return err
 			}
 			return nil
 		})
-		if err != nil {
+		if err != nil && !(errors.Is(err, secrets.ErrNotFound) && sopt.Optional) {
 			return nil, err
 		}
 		out = append(out, fmt.Sprintf("%s=%s", sopt.Name, string(dt)))

diff --git a/solver/llbsolver/ops/exec.go b/solver/llbsolver/ops/exec.go
@@ -559,14 +559,11 @@ func (e *ExecOp) loadSecretEnv(ctx context.Context, g session.Group) ([]string,
 		err = e.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
 			dt, err = secrets.GetSecret(ctx, caller, id)
 			if err != nil {
-				if errors.Is(err, secrets.ErrNotFound) && sopt.Optional {
-					return nil
-				}
 				return err
 			}
 			return nil
 		})
-		if err != nil {
+		if err != nil && !(errors.Is(err, secrets.ErrNotFound) && sopt.Optional) {
 			return nil, err
 		}
 		out = append(out, fmt.Sprintf("%s=%s", sopt.Name, string(dt)))

diff --git a/source/git/source.go b/source/git/source.go
@@ -256,9 +256,11 @@ func (gs *gitSourceHandler) getAuthToken(ctx context.Context, g session.Group) e
 	if err != nil {
 		return err
 	}
-	return gs.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
+	err = gs.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
+		var err error
 		for _, s := range sec {
-			dt, err := secrets.GetSecret(ctx, caller, s.name)
+			var dt []byte
+			dt, err = secrets.GetSecret(ctx, caller, s.name)
 			if err != nil {
 				if errors.Is(err, secrets.ErrNotFound) {
 					continue
@@ -271,8 +273,12 @@ func (gs *gitSourceHandler) getAuthToken(ctx context.Context, g session.Group) e
 			gs.authArgs = []string{"-c", "http." + tokenScope(gs.src.Remote) + ".extraheader=Authorization: " + string(dt)}
 			break
 		}
-		return nil
+		return err
 	})
+	if errors.Is(err, secrets.ErrNotFound) {
+		err = nil
+	}
+	return err
 }
 
 func (gs *gitSourceHandler) mountSSHAuthSock(ctx context.Context, sshID string, g session.Group) (string, func() error, error) {