From f74cb3f57dbc7d6c68f5a13071aacb19de10ff82 Mon Sep 17 00:00:00 2001
From: baseplate-admin <61817579+baseplate-admin@users.noreply.github.com>
Date: Sat, 11 Apr 2026 15:25:02 +0600
Subject: [PATCH 1/2] add

---
 .github/workflows/push-landing-page-ghcr.yml | 2 ++
 apps/landing-page/Dockerfile                 | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/push-landing-page-ghcr.yml b/.github/workflows/push-landing-page-ghcr.yml
index 4f2d0c2b..755fb7a0 100644
--- a/.github/workflows/push-landing-page-ghcr.yml
+++ b/.github/workflows/push-landing-page-ghcr.yml
@@ -40,6 +40,8 @@ jobs:
 
       - name: Build and push image
         uses: docker/build-push-action@v7
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHP_TOKEN }}
         with:
           context: ./apps/landing-page
           file: ./apps/landing-page/Dockerfile
diff --git a/apps/landing-page/Dockerfile b/apps/landing-page/Dockerfile
index 80db0ca5..f953e6f4 100644
--- a/apps/landing-page/Dockerfile
+++ b/apps/landing-page/Dockerfile
@@ -27,6 +27,8 @@ COPY . .
 # Uncomment the following line in case you want to disable telemetry during the build.
 ENV NEXT_TELEMETRY_DISABLED=1
 
+ENV GITHUB_TOKEN=${GITHUB_TOKEN}
+
 RUN \
     if [ -f yarn.lock ]; then yarn run build; \
     elif [ -f package-lock.json ]; then npm run build; \

From bb9d7a53a0e757a59e5e4c9fb7f4a26154ecdac4 Mon Sep 17 00:00:00 2001
From: baseplate-admin <61817579+baseplate-admin@users.noreply.github.com>
Date: Sat, 11 Apr 2026 15:29:37 +0600
Subject: [PATCH 2/2] Inject from secrets

---
 .github/workflows/push-landing-page-ghcr.yml | 4 ++--
 apps/landing-page/Dockerfile                 | 5 ++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/push-landing-page-ghcr.yml b/.github/workflows/push-landing-page-ghcr.yml
index 755fb7a0..b7a3e50e 100644
--- a/.github/workflows/push-landing-page-ghcr.yml
+++ b/.github/workflows/push-landing-page-ghcr.yml
@@ -40,12 +40,12 @@ jobs:
 
       - name: Build and push image
         uses: docker/build-push-action@v7
-        env:
-          GITHUB_TOKEN: ${{ secrets.GHP_TOKEN }}
         with:
           context: ./apps/landing-page
           file: ./apps/landing-page/Dockerfile
           push: true
+          secrets: |
+            github_token=${{ secrets.GHP_TOKEN }}
           tags: |
             ghcr.io/${{ github.repository }}-landing-page:latest
             ghcr.io/${{ github.repository }}-landing-page:${{ github.sha }}
diff --git a/apps/landing-page/Dockerfile b/apps/landing-page/Dockerfile
index f953e6f4..6232332c 100644
--- a/apps/landing-page/Dockerfile
+++ b/apps/landing-page/Dockerfile
@@ -27,9 +27,8 @@ COPY . .
 # Uncomment the following line in case you want to disable telemetry during the build.
 ENV NEXT_TELEMETRY_DISABLED=1
 
-ENV GITHUB_TOKEN=${GITHUB_TOKEN}
-
-RUN \
+RUN --mount=type=secret,id=github_token \
+    export GITHUB_TOKEN=$(cat /run/secrets/github_token) && \
     if [ -f yarn.lock ]; then yarn run build; \
     elif [ -f package-lock.json ]; then npm run build; \
     elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm run build; \