From bd84b28cd1ba26b56271ce00aa9f3f24efa252a7 Mon Sep 17 00:00:00 2001
From: Benjamin Sherman <benjamin@holyarmy.org>
Date: Fri, 13 Mar 2026 15:25:59 +0000
Subject: [PATCH 1/2] fix: authenticate GitHub API calls to avoid rate limit
 failures

---
 .github/workflows/build-image.yml | 2 ++
 Containerfile                     | 1 +
 Justfile                          | 3 +++
 github-release-install.sh         | 9 ++++++++-
 github-release-url.sh             | 9 ++++++++-
 5 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index c9c145c..b42c835 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -79,6 +79,8 @@ jobs:
 
       - name: Build Image
         shell: bash
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           # note: if disabling rechunker, must also disable sudo call
           # just build ${{ matrix.combo.image }}
diff --git a/Containerfile b/Containerfile
index 743359e..a9c6c8f 100644
--- a/Containerfile
+++ b/Containerfile
@@ -14,4 +14,5 @@ ARG VERSION=""
 ARG DNF=""
 
 RUN --mount=type=bind,from=ctx,src=/,dst=/ctx \
+    --mount=type=secret,id=GITHUB_TOKEN \
     /ctx/build.sh
diff --git a/Justfile b/Justfile
index 483b321..8f58666 100644
--- a/Justfile
+++ b/Justfile
@@ -164,6 +164,9 @@ build image="bluefin":
     echo "::endgroup::"
 
     echo "::group:: Container Build"
+    if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+        BUILD_ARGS+=("--secret" "id=GITHUB_TOKEN,env=GITHUB_TOKEN")
+    fi
     {{ PODMAN }} build "${BUILD_ARGS[@]}" .
     echo "::endgroup::"
 
diff --git a/github-release-install.sh b/github-release-install.sh
index 2e620a3..1cfd245 100755
--- a/github-release-install.sh
+++ b/github-release-install.sh
@@ -44,8 +44,15 @@ set ${SET_X:+-x} -eou pipefail
 API_JSON=$(mktemp /tmp/api-XXXXXXXX.json)
 API="https://api.github.com/repos/${ORG_PROJ}/releases/${RELTAG}"
 
+# Read GitHub token from secret mount if available (authenticates API to avoid rate limits)
+CURL_AUTH_ARGS=()
+if [[ -r /run/secrets/GITHUB_TOKEN ]]; then
+    GITHUB_TOKEN=$(</run/secrets/GITHUB_TOKEN)
+    CURL_AUTH_ARGS=("-H" "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
 # retry up to 5 times with 5 second delays for any error included HTTP 404 etc
-curl --fail --retry 5 --retry-delay 5 --retry-all-errors -sL "${API}" -o "${API_JSON}"
+curl --fail --retry 5 --retry-delay 5 --retry-all-errors -sL \
+    "${CURL_AUTH_ARGS[@]}" "${API}" -o "${API_JSON}"
 RPM_URLS=$(jq \
     -r \
     --arg arch_filter "${ARCH_FILTER}" \
diff --git a/github-release-url.sh b/github-release-url.sh
index ca58e45..4f46199 100755
--- a/github-release-url.sh
+++ b/github-release-url.sh
@@ -44,8 +44,15 @@ set ${SET_X:+-x} -eou pipefail
 API_JSON=$(mktemp /tmp/api-XXXXXXXX.json)
 API="https://api.github.com/repos/${ORG_PROJ}/releases/${RELTAG}"
 
+# Read GitHub token from secret mount if available (authenticates API to avoid rate limits)
+CURL_AUTH_ARGS=()
+if [[ -r /run/secrets/GITHUB_TOKEN ]]; then
+    GITHUB_TOKEN=$(</run/secrets/GITHUB_TOKEN)
+    CURL_AUTH_ARGS=("-H" "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
 # retry up to 5 times with 5 second delays for any error included HTTP 404 etc
-curl --fail --retry 5 --retry-delay 5 --retry-all-errors -sL "${API}" -o "${API_JSON}"
+curl --fail --retry 5 --retry-delay 5 --retry-all-errors -sL \
+    "${CURL_AUTH_ARGS[@]}" "${API}" -o "${API_JSON}"
 TGZ_URLS=$(jq \
     -r \
     --arg arch_filter "${ARCH_FILTER}" \

From 95411424beefd30d48c5b7234a56bb6858d3f04e Mon Sep 17 00:00:00 2001
From: Benjamin Sherman <benjamin@holyarmy.org>
Date: Fri, 13 Mar 2026 16:17:00 +0000
Subject: [PATCH 2/2] fix(ci): forward GITHUB_TOKEN through sudo env for secret
 mount

---
 .github/workflows/build-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index b42c835..0772c9e 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -84,7 +84,7 @@ jobs:
         run: |
           # note: if disabling rechunker, must also disable sudo call
           # just build ${{ matrix.combo.image }}
-          sudo env PATH="$PATH" just build ${{ matrix.combo.image }}
+          sudo env PATH="$PATH" GITHUB_TOKEN="$GITHUB_TOKEN" just build ${{ matrix.combo.image }}
 
       - name: Rechunk Image
         shell: bash