I want to setup gcloud sdk within a docker build in a github action. Therefore i need to pass a service-account.json to the dockerfile.

I know i can pass build arguments to the dockerfile and of course i can pass a Github secret here. But now i heard about Docker secrets whose prevent the secrets being read in the docker log. Does one really have to provide a path for the secret? I don't want to save the secret in the repository and i would prefer to use a github secret.

So any ideas what is the best and most secure way to pass a github secret in a gh action to a dockerfile for building?