Conversation
MonPote
force-pushed
the
improvement/use-GIT_ACCESS_TOKEN-instead-of-GH_PAT
branch
from
36fa4ed to
b66d624
Compare
There was a problem hiding this comment.
Pull request overview
This PR standardizes private-repo access by switching GitHub workflows from a user-scoped GH_PAT secret to an org-scoped GIT_ACCESS_TOKEN, and updates the Docker build to pass the token via a BuildKit secret rather than a build arg.
Changes:
- Replace
GH_PATusages in CI workflows withGIT_ACCESS_TOKEN. - Update the reusable Docker workflow to forward
GIT_ACCESS_TOKENinto the image build as a BuildKit secret. - Update the
Dockerfileto consume the token viaRUN --mount=type=secretinstead ofARG/build-args.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
Dockerfile |
Switches private-module auth from build arg to BuildKit secret during go mod download. |
.github/workflows/tests.yml |
Updates CI jobs to use secrets.GIT_ACCESS_TOKEN instead of secrets.GH_PAT. |
.github/workflows/release.yml |
Updates release workflow to use secrets.GIT_ACCESS_TOKEN instead of secrets.GH_PAT. |
.github/workflows/docker.yml |
Renames required workflow secret to GIT_ACCESS_TOKEN and passes it to build as a secret. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [ -f /run/secrets/gh_token ] && [ -s /run/secrets/gh_token ]; then \ | ||
| token=$(cat /run/secrets/gh_token); \ | ||
| git config --global url."https://oauth2:${token}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}"; \ | ||
| fi && \ |
There was a problem hiding this comment.
This makes the token optional (only configures git if the secret file exists). Since go env -w GOPRIVATE=${PRIVATE_REPO_HOST} is always set, builds that need private deps will now fail later with a less actionable error. Consider failing fast with a clear message when /run/secrets/gh_token is missing/empty (or when private deps are detected), and also trim trailing newlines from the secret value before embedding it in the URL to avoid subtle auth failures.
| if [ -f /run/secrets/gh_token ] && [ -s /run/secrets/gh_token ]; then \ | |
| token=$(cat /run/secrets/gh_token); \ | |
| git config --global url."https://oauth2:${token}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}"; \ | |
| fi && \ | |
| if [ ! -f /run/secrets/gh_token ]; then \ | |
| echo "error: /run/secrets/gh_token is required to download private Go modules from ${PRIVATE_REPO_HOST}" >&2; \ | |
| exit 1; \ | |
| fi; \ | |
| token=$(tr -d '\n' < /run/secrets/gh_token); \ | |
| if [ -z "$token" ]; then \ | |
| echo "error: /run/secrets/gh_token is empty; cannot authenticate to ${PRIVATE_REPO_HOST}" >&2; \ | |
| exit 1; \ | |
| fi; \ | |
| git config --global url."https://oauth2:${token}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}" && \ |
| RUN --mount=type=secret,id=gh_token \ | ||
| if [ -f /run/secrets/gh_token ] && [ -s /run/secrets/gh_token ]; then \ |
There was a problem hiding this comment.
RUN --mount=type=secret requires BuildKit. The repo’s make docker-build target currently uses plain docker build and only mentions BuildKit for cross-platform builds; with this change, local builds will fail unless BuildKit is enabled. Consider documenting this requirement (or updating the Makefile/README) so developers don’t hit an unexpected build error.
| # Cache deps before building and copying source. Use BuildKit secret for GH_TOKEN so it | ||
| # never appears in build args or image history. Pass with: --secret id=gh_token,env=GH_TOKEN |
There was a problem hiding this comment.
The inline instructions still reference GH_TOKEN/GH_TOKEN env, but this PR switches CI to GIT_ACCESS_TOKEN and the mounted secret id is gh_token. Update this comment so local build instructions match the new secret name/source and don’t mislead users.
| # Cache deps before building and copying source. Use BuildKit secret for GH_TOKEN so it | |
| # never appears in build args or image history. Pass with: --secret id=gh_token,env=GH_TOKEN | |
| # Cache deps before building and copying source. Use BuildKit secret for GIT_ACCESS_TOKEN so it | |
| # never appears in build args or image history. Pass with: --secret id=gh_token,env=GIT_ACCESS_TOKEN |
During my tests on deployment-descriptor-operator i was trying to take inspiration from ui-operator.
I figure out that in order to fetch the repository we use the
GH_PATtoken (personal token link to a single github account)It works, but it's not the most common way. We should use GIT_ACCESS_TOKEN which is an org ENV variable which give us access to others repository (reconciler-framework in our case)
I've also add change the Dockerfile in order to hide the
GIT_ACCESS_TOKENin a secret. It's not super critical in our case but still nice to have IMO.After this PR, we can safely remove the GH_PAT in our settings/secrets