Add SecretStdin to Container.WithExec options

[sagikazarmark]

What are you trying to do?

Pass a Secret to a commands stdin (without having to resolve it first):

secret := dag.SetSecret()

ctr.WithExec(
    []string{"helm", "login", "--username", "foo", "--password-stdin"},
    ContainerWithExecOpts{SecretStdin: secret},
)

Why is this important to you?

Passing secrets to commands in plaintext isn't particularly safe. Although the documentation says that logs are scrubbed from secrets, who knows...

How are you currently working around this?

I'm passing the secret to the command as plaintext 🙈

[nipuna-perera]

I typically trust ENV vars for secrets. This is how I use them

secret := dag.SetSecret()

ctr.
WithSecretVariable("mysupersecret", secret).
WithExec(
    []string{"sh", "-c", "helm login --username foo --password $mysupersecret"}
)

You can also clean up the env var after the withExec if you don't care to keep it there beyond the exec. These are well masked in the logs in my experience.

Fix for docs here - #7232

[sagikazarmark]

This is why I don't like private conversations, but it's my fault this time. 😄

That's what I ended up doing here: https://github.com/sagikazarmark/daggerverse/pull/78/files#diff-beaf12926edc465430f49c65836319776edbc52ad35bb38065b8df5bdf2bf301R138-R162