feat: Add GitHub token handling for Docker build and CodeQL installation

Author: GeekMasher

.github/workflows/build.yml

@@ -95,12 +95,16 @@ jobs:
             # latest / main
             type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build Container ${{ github.repository }}
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         id: build
-        env:
-          # Secrets for GH CLI
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
         with:
           file: "./Dockerfile"
           context: .
@@ -109,9 +113,9 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           # SBOM Settings
           sbom: true
-          # Secrets for GH CLI
-          secret-envs: |
-            GH_TOKEN=GITHUB_TOKEN
+          # Pass GitHub token as a build secret
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"
 
       # Upload Software Bill of Materials (SBOM) to GitHub
       - name: Upload SBOM

Dockerfile

@@ -31,8 +31,20 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
+# Define GitHub token as a build ARG
+ARG github_token
+
 # Install the CodeQL extension for GitHub CLI
-RUN gh extensions install github/gh-codeql && \
-    gh codeql install-stub
+RUN --mount=type=secret,id=github_token \
+    if [ -f "/run/secrets/github_token" ]; then \
+      export GITHUB_TOKEN=$(cat /run/secrets/github_token); \
+      gh auth setup-git; \
+      gh extensions install github/gh-codeql && \
+      gh codeql install-stub; \
+    else \
+      echo "No GitHub token provided, using public access"; \
+      gh extensions install github/gh-codeql && \
+      gh codeql install-stub; \
+    fi
 
 ENTRYPOINT [ "codeql-extractor-action" ]