Wait I do the DB migrations in the Dockerfile build? That doesn’t seem normal or secure as then I would need to pass the DB connect as a build arg which is saved in the final docker image. It does look like you pass environment args to build args so I will go ahead and do that for now but it is a bummer as local dev will now have to have a different container vs render one. Also, that image now will always have those values in its metadata (A tableau of crimes and misfortunes: the ever-useful `docker history`). You would have to use the new Buildkit --secret for it not to be in the image history. So I hope you are running a very secure image repo locally.
In other pipelines, I have worked on, we normally have a step after the docker image build that runs the docker image with a different command to do the migrations of anything before spinning up the new images. Having a post-build step to run commands would really help here.
Also you all should really consider not passing all environment variables to the docker build as build args but instead support a different param for it to just be safe and use the Buildkit --secrets to use it.