Allow docker build secrets to be files

[eerhardt]

Description

This allows people to pass .npmrc files as docker secrets without baking auth credentials into this image.

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire.dev issue:
      • New issue
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14559

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14559"

[mitchdenny]

Do you think we should have `WithBuildSecretFile(callback) where we can give it a file, but defer evaluation.

[Copilot]

Pull request overview

This pull request adds support for file-based Docker build secrets in addition to the existing environment variable-based secrets. This allows developers to pass files like .npmrc as build secrets without embedding authentication credentials directly in container images.

Changes:

• Introduces BuildImageSecretValue record and BuildImageSecretType enum to represent both environment-based and file-based secrets
• Updates IContainerRuntime.BuildImageAsync signature to use Dictionary<string, BuildImageSecretValue> instead of Dictionary<string, string?>
• Modifies secret resolution logic in ResourceContainerImageManager to detect FileInfo objects and mark them as file-based secrets
• Updates BuildSecretsString method to format secrets appropriately based on type (env vs file)
• Adds comprehensive test coverage for the new functionality

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/Aspire.Hosting/Publishing/BuildImageSecretValue.cs	New file defining the BuildImageSecretValue record and BuildImageSecretType enum marked as Experimental
src/Aspire.Hosting/Publishing/ResourceContainerImageManager.cs	Updates secret resolution to detect FileInfo and create BuildImageSecretValue with appropriate type
src/Aspire.Hosting/Publishing/ContainerRuntimeBase.cs	Modifies BuildSecretsString to format secrets based on type (file uses src=path, env uses env=VAR)
src/Aspire.Hosting/Publishing/DockerContainerRuntime.cs	Updates to use BuildImageSecretValue and only set environment variables for environment-type secrets
src/Aspire.Hosting/Publishing/PodmanContainerRuntime.cs	Updates to use BuildImageSecretValue and only set environment variables for environment-type secrets
src/Aspire.Hosting/Publishing/IContainerRuntime.cs	Updates BuildImageAsync signature to accept Dictionary<string, BuildImageSecretValue>
tests/Aspire.Hosting.Tests/Publishing/FakeContainerRuntime.cs	Updates test fake to use BuildImageSecretValue type
tests/Aspire.Hosting.Tests/Publishing/ResourceContainerImageManagerTests.cs	Adds comprehensive tests for file-based secrets and updates existing tests to verify both Value and Type properties