Hi!
Yep, the build-time secrets documented here is the way currently. We’ve had some internal discussions on if we can improve that - so that’s in process, but there’s no firm decisions on that yet.
Partially the build-time secrets are a bit annoying due to how Docker makes us “mount” secrets into a container. I’ve had a similar question about injecting them for you during the build step - It doesn’t seem like Docker gives us a way to “mount” secrets into the build due to how Docker exposes its API there (or we haven’t found it yet).