Build Secrets — API Reference

Package: dodil.ignite.v1 · Service: BuildService

SaveBuildSecrets stores the credentials a build needs — registry auth, git credentials for private repos, and extra secret build args — so they can be applied automatically when a build runs.

Stored per organization, not per build. These credentials live at the org level and are applied automatically to every build in the org. This is distinct from Compute BYOI, where you reference a named SecretService slot via registry_secret_ref on the app. Build secrets have no per-build name — you save them once and they apply org-wide.

SaveBuildSecrets

Saves (replaces) the organization’s build credentials. All three groups are optional — send only the ones you want to set.

• registry_credentials — map of registry URL → auth, used to push built images and to pull private base images referenced in your Dockerfile.
• git_credentials — a PAT for cloning private git repos; auto-applied to git_source builds.
• build_secrets — extra values exposed to the build as build args. When a build arg’s value comes from here, it is redacted to *** wherever the build record echoes args back (see Build.build_args).

Request

GitCredentials:

curl -sS -X PUT "https://api.dev.dodil.io/v1/ignite/builds/secrets" \
  -H "Authorization: Bearer $DODIL_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "registryCredentials": {
      "ghcr.io": "<base64 user:token>"
    },
    "gitCredentials": {
      "username": "build-bot",
      "password": "ghp_xxxxxxxxxxxxxxxx"
    },
    "buildSecrets": {
      "NPM_TOKEN": "npm_xxxxxxxxxxxx"
    }
  }'

rpc SaveBuildSecrets(SaveBuildSecretsRequest) returns (SaveBuildSecretsResponse);
 
message SaveBuildSecretsRequest {
  map<string, string> registry_credentials = 1;  // registry URL -> auth
  GitCredentials git_credentials            = 2;  // PAT for private git clones
  map<string, string> build_secrets         = 3;  // extra values exposed as build args
}
 
message GitCredentials {
  string username = 1;
  string password = 2;                            // PAT
}

grpcurl \
  -H "Authorization: Bearer $DODIL_TOKEN" \
  -d '{
    "registry_credentials": {
      "ghcr.io": "<base64 user:token>"
    },
    "git_credentials": {
      "username": "build-bot",
      "password": "ghp_xxxxxxxxxxxxxxxx"
    },
    "build_secrets": {
      "NPM_TOKEN": "npm_xxxxxxxxxxxx"
    }
  }' \
  $IGNITE_GRPC \
  dodil.ignite.v1.BuildService/SaveBuildSecrets

Response

{
  "success": true
}

message SaveBuildSecretsResponse {
  bool success = 1;
}

Once saved, git_credentials are applied automatically to git_source builds, registry_credentials to image push/pull, and any build_secrets referenced by a build arg show as *** in the resulting Build.

See also

• Builds — overview
• Build concepts — sources, caching, image refs
• Builds API — CreateBuild and the rest
• Compute — image-mode runs the built image
• Secrets — the named SecretService slots used by Compute BYOI
• Conventions — transport, auth, wire format, streaming