feat: enhance Dockerfile to support GitHub token via secret mount and improve error handling

Author: KristjanESPERANTO

.github/workflows/container-build.yaml

@@ -46,6 +46,9 @@ jobs:
           file: container/Dockerfile
           push: true
           platforms: linux/amd64
-          build-args: |
-            GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
+          secrets: |
+            # Optionally replace secrets.GITHUB_TOKEN with a PAT (store it under the same secret name
+            # or adjust this mapping) to avoid 401 responses and heavy rate limiting when the pipeline
+            # fetches metadata for thousands of modules.
+            github_token=${{ secrets.GITHUB_TOKEN }}
           tags: ${{ steps.meta.outputs.image }}

container/Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1.7
+
 FROM node:24-slim AS builder
 
 RUN apt-get update \
@@ -8,12 +10,18 @@ WORKDIR /workspace
 
 COPY . .
 
-ARG GITHUB_TOKEN WIKI_FILE
-RUN <<EOF
+ARG WIKI_FILE
+RUN --mount=type=secret,id=github_token <<'EOF'
 set -e
 git config --global --add safe.directory /workspace
 git log -1
-export GITHUB_TOKEN="${GITHUB_TOKEN}"
+TOKEN_FILE="/run/secrets/github_token"
+if [ -f "$TOKEN_FILE" ]; then
+	GITHUB_TOKEN_VALUE="$(cat "$TOKEN_FILE")"
+	if [ -n "$GITHUB_TOKEN_VALUE" ]; then
+		export GITHUB_TOKEN="$GITHUB_TOKEN_VALUE"
+	fi
+fi
 npm clean-install
 node --run all
 EOF

cspell.config.json

@@ -40,6 +40,7 @@
     "NOASSERTION",
     "omxplayer",
     "openweathermap",
+    "pipefail",
     "ptrbld",
     "ratp",
     "refspecs",