How to pass secret to Dockerfile in pipeline build (publishImageConfig)

I’m passing two variabls to the build args but only the CICD one is passed correctly, is this not possible or am I’m doing something wrong? My yaml is below. Thank you for the help.

stages:
  - name: Build
    steps:
      - publishImageConfig:
          dockerfilePath: ./testing.Dockerfile
          buildContext: .
          tag: testing-${CICD_GIT_BRANCH}:${CICD_EXECUTION_SEQUENCE}
          registry: 127.0.0.1:34695
        env:
          PLUGIN_BUILD_ARGS: FONTAWESOME_NPM_AUTH_TOKEN=${FONTAWESOME_NPM_AUTH_TOKEN},CICD_GIT_COMMIT=${CICD_GIT_COMMIT}
        envFrom:
          - sourceName: testing-pipeline-secrets
            sourceKey: FONTAWESOME_NPM_AUTH_TOKEN
            targetKey: FONTAWESOME_NPM_AUTH_TOKEN

In case this is not possible what would be a good alternative to not be forced to hardcode secrets into Dockerfile?