From 5d0a83f49268907fed95ada9da4135d1e5da13ec Mon Sep 17 00:00:00 2001 From: Patrick Ear Date: Fri, 13 Feb 2026 17:29:07 +0100 Subject: [PATCH 1/2] use GIT_ACCESS_TOKEN instead of GH_PAT --- .github/workflows/docker.yml | 4 ++-- .github/workflows/release.yml | 6 +++--- .github/workflows/tests.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 3a515a8..f6835bc 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -13,7 +13,7 @@ on: required: true type: boolean secrets: - GH_PAT: + GIT_ACCESS_TOKEN: description: "A GitHub PAT with permissions to read the private repository." required: true @@ -85,7 +85,7 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max build-args: | - GH_TOKEN=${{ secrets.GH_PAT }} + GH_TOKEN=${{ secrets.GIT_ACCESS_TOKEN }} PRIVATE_REPO_HOST=github.com/scality BUILD_DATE=${{ fromJson(steps.meta.outputs.json)['org.opencontainers.image.created'] }} GIT_COMMIT=${{ github.sha }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 25ae6e7..6139295 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,7 +51,7 @@ jobs: uses: ./.github/actions/setup-go-private with: go-version: ${{ env.GO_VERSION }} - gh-token: ${{ secrets.GH_PAT }} + gh-token: ${{ secrets.GIT_ACCESS_TOKEN }} - name: Run tests run: make test @@ -63,7 +63,7 @@ jobs: version: ${{ needs.precheck.outputs.tag }} push-image: true secrets: - GH_PAT: ${{ secrets.GH_PAT }} + GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} upload-crds: runs-on: ubuntu-24.04 @@ -81,7 +81,7 @@ jobs: uses: ./.github/actions/setup-go-private with: go-version: ${{ env.GO_VERSION }} - gh-token: ${{ secrets.GH_PAT }} + gh-token: ${{ secrets.GIT_ACCESS_TOKEN }} - name: Package CRDs run: make package-crds VERSION=${{ needs.precheck.outputs.tag }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3c86b5d..a2aaba9 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -22,7 +22,7 @@ jobs: uses: ./.github/actions/setup-go-private with: go-version: ${{ env.GO_VERSION }} - gh-token: ${{ secrets.GH_PAT }} + gh-token: ${{ secrets.GIT_ACCESS_TOKEN }} - name: Install dependencies run: go mod download @@ -35,7 +35,7 @@ jobs: with: push-image: true secrets: - GH_PAT: ${{ secrets.GH_PAT }} + GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} e2e: name: E2E Tests @@ -54,7 +54,7 @@ jobs: uses: ./.github/actions/setup-go-private with: go-version: ${{ env.GO_VERSION }} - gh-token: ${{ secrets.GH_PAT }} + gh-token: ${{ secrets.GIT_ACCESS_TOKEN }} - name: Login to Registry uses: docker/login-action@v3 From b66d6243790a1530464629fa5ccf4a4c899d6150 Mon Sep 17 00:00:00 2001 From: Patrick Ear Date: Fri, 13 Feb 2026 17:32:42 +0100 Subject: [PATCH 2/2] hide token in a secret during docker build --- .github/workflows/docker.yml | 3 ++- Dockerfile | 17 +++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f6835bc..9964932 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -85,12 +85,13 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max build-args: | - GH_TOKEN=${{ secrets.GIT_ACCESS_TOKEN }} PRIVATE_REPO_HOST=github.com/scality BUILD_DATE=${{ fromJson(steps.meta.outputs.json)['org.opencontainers.image.created'] }} GIT_COMMIT=${{ github.sha }} SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }} VERSION=${{ inputs.version || github.sha }} + secrets: | + gh_token=${{ secrets.GIT_ACCESS_TOKEN }} - name: Generate GitHub SLSA provenance uses: actions/attest-build-provenance@v1 diff --git a/Dockerfile b/Dockerfile index f2d3736..c02ee9a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,6 @@ # Build the manager binary FROM golang:1.24 AS builder -ARG GH_TOKEN - ARG PRIVATE_REPO_HOST=github.com/scality ARG TARGETOS @@ -12,16 +10,19 @@ WORKDIR /workspace RUN go env -w GOPRIVATE=${PRIVATE_REPO_HOST} -RUN if [ -z "$GH_TOKEN" ]; then echo "GH_TOKEN is missing"; exit 1; fi && \ - git config --global url."https://oauth2:${GH_TOKEN}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}" - # Copy the Go Modules manifests COPY go.mod go.mod COPY go.sum go.sum -# cache deps before building and copying source so that we don't need to re-download as much -# and so that source changes don't invalidate our downloaded layer -RUN go mod download +# Cache deps before building and copying source. Use BuildKit secret for GH_TOKEN so it +# never appears in build args or image history. Pass with: --secret id=gh_token,env=GH_TOKEN +RUN --mount=type=secret,id=gh_token \ + if [ -f /run/secrets/gh_token ] && [ -s /run/secrets/gh_token ]; then \ + token=$(cat /run/secrets/gh_token); \ + git config --global url."https://oauth2:${token}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}"; \ + fi && \ + go mod download && \ + rm -f /root/.gitconfig # Copy the go source COPY cmd/main.go cmd/main.go