We agree it’s pretty unusual. We’re aware of the need for some service lifecycle hooks for things like running migrations and that’s something we’re looking into building. That is to say, we don’t have a hook right now to run migrations. The workaround that many have done is to incorporate it into their build scripts, but that can be less-than-ideal for some use cases. Docker services is one of those. We’re happy to add this to feedback.render.com which we take into account when planning our work.
We also have an open issue of manually triggering jobs (e.g. migrations) which people have worked around by creating cron jobs that run extremely infrequently (or even are suspended). Perhaps this would work for you. The idea is to create a Docker cron job and add your migration command as its run command (no Dockerfile changes needed). Then you can control when you run your migrations.
As for BuildKit secrets, you might be happy to know that we do support them backed by secret files. We don’t have official docs on that yet, but you can see the approach in this short thread.