Does @pulumi/docker support docker secrets? I am having trouble finding documentation on how to securely pass secrets as an environment variable such that it does not get cached in the build layers

you probably want to write your secret to a place that is designed for that. Then when you are spinning up your docker container, the secret service will pass in the secret as an environment variable

I am current using Google Secret Manager during runtime. The problem I am currently running into is a secret needs to be available as environment variable during a build step when creating the image.

Security best practice is to provide secrets at runtime. Why do you need it at build time?

Working with a third party package, PayloadCMS. PayloadCMS requires secret when initializing the express backend. Unfortunately this also occurs at build time when generating GraphQL endpoints and other generated schemas. Their docs kinda skirt around how to do this securely using docker because all the examples I have seen so far use dotenv file which I dont want to use with secrets in plain text for obvious reasons. I am surprise more people don't run into this issue of requiring secrets a built time but thrown away afterwards to provide them via secret manager like you said at runtime.

Are you initializing a PayloadCMS instance (backend?) when you are building the Docker container?

@alert-midnight-11504 FYI we launched a Docker Build provider with

--secret

support today https://www.pulumi.com/blog/docker-build/