Doesn’t multi-stage build solve the same problem? You pass the secrets to the first stage then copy the results to the second. I’m no Docker expert so I might be missing something here.
It does solve the problem… but introduces a new one. The new problem is that once you do that, you can’t push the first stage to the registry, because then you’re leaking secrets. Which means every time you build your image, you have to rebuild it from scratch, you can’t rely on build caching.
For Go applications that’s often fine, but for some languages that means 20 minute builds.