From afcf15b411fba66e858e6fc788ef67776c359c6f Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Sun, 15 Mar 2026 12:49:20 -0700 Subject: [PATCH] fix(ci): use BuildKit secrets instead of build-arg for GITHUB_TOKEN Build arguments persist in Docker image layer metadata and can be extracted with docker history or docker inspect. Switch to --mount=type=secret so the token is only available during the RUN step and never written to any image layer. --- .github/workflows/ci-image.yml | 4 +++- deploy/docker/Dockerfile.ci | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-image.yml b/.github/workflows/ci-image.yml index 853a72fc..2f7737d9 100644 --- a/.github/workflows/ci-image.yml +++ b/.github/workflows/ci-image.yml @@ -36,10 +36,12 @@ jobs: uses: ./.github/actions/setup-buildx - name: Build and push CI image + env: + MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | docker buildx build \ --platform linux/amd64,linux/arm64 \ - --build-arg MISE_GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \ + --secret id=MISE_GITHUB_TOKEN,env=MISE_GITHUB_TOKEN \ --push \ -t ${{ env.CI_IMAGE }}:${{ github.sha }} \ -t ${{ env.CI_IMAGE }}:latest \ diff --git a/deploy/docker/Dockerfile.ci b/deploy/docker/Dockerfile.ci index 55ff8032..f1a1405a 100644 --- a/deploy/docker/Dockerfile.ci +++ b/deploy/docker/Dockerfile.ci @@ -77,8 +77,9 @@ RUN curl https://mise.run | sh COPY mise.toml /opt/mise/mise.toml COPY tasks/ /opt/mise/tasks/ WORKDIR /opt/mise -ARG MISE_GITHUB_TOKEN -RUN mise trust /opt/mise/mise.toml && \ +RUN --mount=type=secret,id=MISE_GITHUB_TOKEN \ + export MISE_GITHUB_TOKEN="$(cat /run/secrets/MISE_GITHUB_TOKEN 2>/dev/null || true)" && \ + mise trust /opt/mise/mise.toml && \ env -u RUSTC_WRAPPER mise install && \ /root/.cargo/bin/rustup component remove rust-docs || true && \ rm -rf /root/.rustup/toolchains/*/share/doc /root/.rustup/toolchains/*/share/man