fix: secure GITHUB_TOKEN handling in Docker build

KristjanESPERANTO · KristjanESPERANTO · commit 2b5cc9423edc · 2025-10-05T15:53:17.000+02:00
Use BuildKit secrets instead of ARG to prevent token exposure
diff --git a/.github/workflows/container-build.yaml b/.github/workflows/container-build.yaml
@@ -46,6 +46,6 @@ jobs:
           file: container/Dockerfile
           push: true
           platforms: linux/amd64
-          build-args: |
-            GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
+          secrets: |
+            github_token=${{ secrets.GITHUB_TOKEN }}
           tags: ${{ steps.meta.outputs.image }}
diff --git a/container/Dockerfile b/container/Dockerfile
@@ -8,12 +8,14 @@ WORKDIR /workspace
 
 COPY . .
 
-ARG GITHUB_TOKEN WIKI_FILE
-RUN <<EOF
+ARG WIKI_FILE
+RUN --mount=type=secret,id=github_token <<EOF
 set -e
 git config --global --add safe.directory /workspace
 git log -1
-export GITHUB_TOKEN="${GITHUB_TOKEN}"
+if [ -f /run/secrets/github_token ]; then
+	export GITHUB_TOKEN="$(cat /run/secrets/github_token)"
+fi
 export NODE_OPTIONS="--experimental-strip-types"
 npm clean-install
 node --run all
