Mounts token as docker secret

lorengordon · lorengordon · commit be6c8b3d5516 · 2025-05-13T06:40:02.000-08:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -67,8 +67,8 @@ jobs:
           context: .
           load: true
           tags: plus3it/tardigrade-ci:test
-          build-args: |
-            GITHUB_ACCESS_TOKEN=${{ secrets.GH_READONLY_TOKEN }}
+          secrets: |
+            "GITHUB_ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}"
 
       - name: Run bats tests
         if: github.event_name == 'pull_request'
@@ -81,3 +81,5 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            "GITHUB_ACCESS_TOKEN=${{ secrets.GH_READONLY_TOKEN }}"
diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,10 @@
-FROM golang:1.24.3-bookworm as golang
+FROM golang:1.24.3-bookworm AS golang
 
 FROM python:3.13.3-bookworm
 
 ARG PROJECT_NAME=tardigrade-ci
-ARG GITHUB_ACCESS_TOKEN
+
+RUN --mount=type=secret,id=GITHUB_ACCESS_TOKEN,env=GITHUB_ACCESS_TOKEN
 
 ENV USER=${PROJECT_NAME}
 ENV USER_UID=1000
diff --git a/Makefile b/Makefile
@@ -66,7 +66,7 @@ help/generate:
 	{ lastLine = $$0 }' $(MAKEFILE_LIST) | sort -u
 	@printf "\n"
 
-GITHUB_AUTHORIZATION := $(if $(GITHUB_ACCESS_TOKEN),-H "Authorization: token $$GITHUB_ACCESS_TOKEN",)
+GITHUB_AUTHORIZATION := $(if $(GITHUB_ACCESS_TOKEN),-H "Authorization: token $$GITHUB_ACCESS_TOKEN",$(if $(GITHUB_TOKEN),-H "Authorization: token $$GITHUB_TOKEN",))
 
 # Macro to return the download url for a github release
 # For latest release, use version=latest
