Mounts token as docker secret

Author: lorengordon

.github/workflows/build.yml

@@ -67,12 +67,12 @@ jobs:
           context: .
           load: true
           tags: plus3it/tardigrade-ci:test
-          build-args: |
-            GITHUB_ACCESS_TOKEN=${{ secrets.GH_READONLY_TOKEN }}
+          secrets: |
+            "GITHUB_ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}"
 
       - name: Run bats tests
         if: github.event_name == 'pull_request'
-        run: docker run --rm plus3it/tardigrade-ci:test bats/test
+        run: docker run --rm -e "GITHUB_ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}" plus3it/tardigrade-ci:test bats/test
 
       - name: Push to registries
         if: github.event_name != 'pull_request'
@@ -81,3 +81,5 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            "GITHUB_ACCESS_TOKEN=${{ secrets.GH_READONLY_TOKEN }}"

.github/workflows/lint.yml

@@ -9,6 +9,8 @@ concurrency:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    env:
+      GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Clone this git repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

Dockerfile

@@ -1,9 +1,10 @@
-FROM golang:1.24.3-bookworm as golang
+FROM golang:1.24.3-bookworm AS golang
 
 FROM python:3.13.3-bookworm
 
 ARG PROJECT_NAME=tardigrade-ci
-ARG GITHUB_ACCESS_TOKEN
+
+RUN --mount=type=secret,id=GITHUB_ACCESS_TOKEN,env=GITHUB_ACCESS_TOKEN
 
 ENV USER=${PROJECT_NAME}
 ENV USER_UID=1000