fix(ci): use BuildKit secrets instead of build-arg for GITHUB_TOKEN (#327)

drew · web-flow · commit 66ba07f93a22 · 2026-03-15T12:53:44.000-07:00
diff --git a/.github/workflows/ci-image.yml b/.github/workflows/ci-image.yml
@@ -36,10 +36,12 @@ jobs:
         uses: ./.github/actions/setup-buildx
 
       - name: Build and push CI image
+        env:
+          MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           docker buildx build \
             --platform linux/amd64,linux/arm64 \
-            --build-arg MISE_GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
+            --secret id=MISE_GITHUB_TOKEN,env=MISE_GITHUB_TOKEN \
             --push \
             -t ${{ env.CI_IMAGE }}:${{ github.sha }} \
             -t ${{ env.CI_IMAGE }}:latest \
diff --git a/deploy/docker/Dockerfile.ci b/deploy/docker/Dockerfile.ci
@@ -77,8 +77,9 @@ RUN curl https://mise.run | sh
 COPY mise.toml /opt/mise/mise.toml
 COPY tasks/ /opt/mise/tasks/
 WORKDIR /opt/mise
-ARG MISE_GITHUB_TOKEN
-RUN mise trust /opt/mise/mise.toml && \
+RUN --mount=type=secret,id=MISE_GITHUB_TOKEN \
+    export MISE_GITHUB_TOKEN="$(cat /run/secrets/MISE_GITHUB_TOKEN 2>/dev/null || true)" && \
+    mise trust /opt/mise/mise.toml && \
     env -u RUSTC_WRAPPER mise install && \
     /root/.cargo/bin/rustup component remove rust-docs || true && \
     rm -rf /root/.rustup/toolchains/*/share/doc /root/.rustup/toolchains/*/share/man
