From e4c5efd5e3ef9b77ab2c7a3e283cfd6b1c8fe138 Mon Sep 17 00:00:00 2001
From: immanuwell <pchpr.00@list.ru>
Date: Fri, 8 May 2026 14:50:53 +0400
Subject: [PATCH] fix: redact runtime repository credentials

---
 pkg/build/types/types.go      | 4 ++++
 pkg/build/types/types_test.go | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/pkg/build/types/types.go b/pkg/build/types/types.go
index e920acc39..130a04d65 100644
--- a/pkg/build/types/types.go
+++ b/pkg/build/types/types.go
@@ -134,6 +134,10 @@ func (i ImageContents) MarshalYAML() (any, error) {
 		return nil, err
 	}
 
+	if err := processRepositoryURLs(ri.RuntimeOnlyRepositories); err != nil {
+		return nil, err
+	}
+
 	if err := processRepositoryURLs(ri.Repositories); err != nil {
 		return nil, err
 	}
diff --git a/pkg/build/types/types_test.go b/pkg/build/types/types_test.go
index fdf1b152b..e6a93b00f 100644
--- a/pkg/build/types/types_test.go
+++ b/pkg/build/types/types_test.go
@@ -59,6 +59,12 @@ func TestYamlMarshallingRepositories(t *testing.T) {
 			Repositories: []string{"@myorg " + alpineWithCreds},
 		},
 		want: fmt.Sprintf("repositories:\n    - '@myorg %s'\n", "https://user:xxxxx@dl-cdn.my.org/alpine/v3.22/main"),
+	}, {
+		desc: "runtime repository with creds",
+		in: ImageContents{
+			RuntimeOnlyRepositories: []string{alpineWithCreds},
+		},
+		want: fmt.Sprintf("runtime_repositories:\n    - %s\n", "https://user:xxxxx@dl-cdn.my.org/alpine/v3.22/main"),
 	}, {
 		desc: "invalid tag format - missing @",
 		in: ImageContents{