This is the reason for the multi-stage docker build. You’ll notice that the credentials are used within the first stage of the docker build only. The compiled go binary is copied from the first stage into the last stage (the stage starts with ‘FROM scratch AS final’) and the credentials are not copied.

Also, the credentials are passed into the docker build using build arguments ( — build-arg) because of this being in the dockerfile:

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store