From 2712876e9582fe48addcaafab15531d45148b0dd Mon Sep 17 00:00:00 2001
From: Alexandre Daubois <2144837+alexandre-daubois@users.noreply.github.com>
Date: Tue, 24 Jun 2025 16:51:21 +0200
Subject: [PATCH] ci(docker): authenticate GitHub API calls (#1680)

---
 Dockerfile        | 23 +++++++++++++++--------
 alpine.Dockerfile | 23 +++++++++++++++--------
 docker-bake.hcl   |  1 +
 3 files changed, 31 insertions(+), 16 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ec896cdd..9ae795d0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -81,16 +81,23 @@ RUN apt-get update && \
 
 # Install e-dant/watcher (necessary for file watching)
 WORKDIR /usr/local/src/watcher
-RUN curl -s https://api.github.com/repos/e-dant/watcher/releases/latest | \
-		grep tarball_url | \
-		awk '{ print $2 }' | \
-		sed 's/,$//' | \
-		sed 's/"//g' | \
-		xargs curl -L | \
+RUN --mount=type=secret,id=github-token \
+    if [ -f /run/secrets/github-token ] && [ -s /run/secrets/github-token ]; then \
+        echo "Using authenticated GitHub API request"; \
+        curl -s -H "Authorization: Bearer $(cat /run/secrets/github-token)" https://api.github.com/repos/e-dant/watcher/releases/latest; \
+    else \
+        echo "Using unauthenticated GitHub API request"; \
+        curl -s https://api.github.com/repos/e-dant/watcher/releases/latest; \
+    fi | \
+    grep tarball_url | \
+    awk '{ print $2 }' | \
+    sed 's/,$//' | \
+    sed 's/"//g' | \
+    xargs curl -L | \
     tar xz --strip-components 1 && \
     cmake -S . -B build -DCMAKE_BUILD_TYPE=Release && \
-	cmake --build build && \
-	cmake --install build && \
+    cmake --build build && \
+    cmake --install build && \
     ldconfig
 
 WORKDIR /go/src/app
diff --git a/alpine.Dockerfile b/alpine.Dockerfile
index 6d550c1d..bb53a7ee 100644
--- a/alpine.Dockerfile
+++ b/alpine.Dockerfile
@@ -88,16 +88,23 @@ RUN apk add --no-cache --virtual .build-deps \
 
 # Install e-dant/watcher (necessary for file watching)
 WORKDIR /usr/local/src/watcher
-RUN curl -s https://api.github.com/repos/e-dant/watcher/releases/latest | \
-		grep tarball_url | \
-		awk '{ print $2 }' | \
-		sed 's/,$//' | \
-		sed 's/"//g' | \
-		xargs curl -L | \
+RUN --mount=type=secret,id=github-token \
+    if [ -f /run/secrets/github-token ] && [ -s /run/secrets/github-token ]; then \
+        echo "Using authenticated GitHub API request"; \
+        curl -s -H "Authorization: Bearer $(cat /run/secrets/github-token)" https://api.github.com/repos/e-dant/watcher/releases/latest; \
+    else \
+        echo "Using unauthenticated GitHub API request"; \
+        curl -s https://api.github.com/repos/e-dant/watcher/releases/latest; \
+    fi | \
+    grep tarball_url | \
+    awk '{ print $2 }' | \
+    sed 's/,$//' | \
+    sed 's/"//g' | \
+    xargs curl -L | \
     tar xz --strip-components 1 && \
     cmake -S . -B build -DCMAKE_BUILD_TYPE=Release && \
-	cmake --build build && \
-	cmake --install build
+    cmake --build build && \
+    cmake --install build
 
 WORKDIR /go/src/app
 
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 2de833ef..915354c4 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -116,6 +116,7 @@ target "default" {
     args = {
         FRANKENPHP_VERSION = VERSION
     }
+    secret = ["id=github-token,env=GITHUB_TOKEN"]
 }
 
 target "static-builder-musl" {