i forgot about build secrets

Dockerfile

@@ -19,15 +19,23 @@ COPY --chmod=0440  assets/linux/sudoers-sleepbotzz /etc/sudoers.d/sleepbotzz
 # User constraints
 
 # https://huggingface.co/docs/hub/spaces-sdks-docker#permissions
-RUN useradd -m -u 1000 -s /bin/bash -p "${BUILD_USER_PASSWORD}" sleepbotzz
-
+RUN useradd -m -u 1000 -s /bin/bash sleepbotzz
+
+# secrets
+#   https://huggingface.co/docs/hub/spaces-sdks-docker
+#   https://docs.docker.com/build/building/secrets/
+#   https://docs.docker.com/reference/cli/docker/buildx/build/#secret
+#   must be provided in `docker buildx` -- "ERROR: secret BUILD_USER_PASSWORD: not found"
+# precedent = ARG, secret
 # password
 #   https://askubuntu.com/questions/752500/how-do-i-encrypt-a-new-users-password-using-the-useradd-command
 #   received as clear text from HF secrets
 #   encrypted with $6 (SHA-512)
 #   direct use of `python` is to avoid escaping the '$'s
 ARG BUILD_USER_PASSWORD
-RUN usermod --password \
+RUN --mount=type=secret,id=BUILD_USER_PASSWORD,mode=0444,required=true \
+    export BUILD_USER_PASSWORD="${BUILD_USER_PASSWORD:-$(cat /run/secrets/BUILD_USER_PASSWORD)}" ; \
+    usermod --password \
     $(python -c "import crypt; import os; print(crypt.crypt(os.getenv('BUILD_USER_PASSWORD'), \"\$6\$$(</dev/urandom tr -dc 'a-zA-Z0-9' | head -c 32)\$\"))") \
     sleepbotzz
 

README.md

@@ -20,9 +20,20 @@ Check out the configuration reference at https://huggingface.co/docs/hub/spaces-
 ## Notes To myself
 
 ```bash
+# secret file
+echo "xxx" > /tmp/BUILD_USER_PASSWORD
+
 # vs. 'linux/arm64'
 docker buildx build . -t cantremember/hf-my-first-docker:latest \
   --platform linux/amd64 \
+  --progress=plain --no-cache \
+  --secret id=BUILD_USER_PASSWORD,type=file,source=/tmp/BUILD_USER_PASSWORD \
   --build-arg BUILD_USER_PASSWORD=___
+
 docker run -it --platform linux/amd64 cantremember/hf-my-first-docker:latest bash
 ```
+
+Secrets
+
+- Spaces > Settings > Variables and secrets
+- `BUILD_USER_PASSWORD` - Desired password for sleepbotzz user