ci: prevent github api rate limits using docker buildkit secrets

.github/scripts/build-image.sh

@@ -179,48 +179,61 @@ if [ -n "$RUSTFLAGS" ]; then
     SERVER_ZKVM_BUILD_ARGS+=(--build-arg "RUSTFLAGS=$RUSTFLAGS")
 fi
 
+# Pass GITHUB_TOKEN as a BuildKit secret if available
+# This allows authenticated GitHub API calls to avoid rate limiting
+# Using secrets instead of build args prevents token leakage in image history
+SECRET_ARGS=()
+if [ -n "${GITHUB_TOKEN:-}" ]; then
+    SECRET_ARGS=(--secret id=github_token,env=GITHUB_TOKEN)
+fi
+
 # Build images
 
 if [ "$BUILD_BASE" = true ]; then
     echo "Building base image: $BASE_IMAGE"
-    docker build \
+    DOCKER_BUILDKIT=1 docker build \
         --file "docker/Dockerfile.base" \
         --tag "$BASE_IMAGE" \
         "${BASE_BUILD_ARGS[@]}" \
+        "${SECRET_ARGS[@]}" \
         .
 
     echo "Building zkvm base image: $BASE_ZKVM_IMAGE"
-    docker build \
+    DOCKER_BUILDKIT=1 docker build \
         --file "docker/${ZKVM}/Dockerfile.base" \
         --tag "$BASE_ZKVM_IMAGE" \
         "${BASE_ZKVM_BUILD_ARGS[@]}" \
+        "${SECRET_ARGS[@]}" \
         .
 fi
 
 if [ "$BUILD_COMPILER" = true ]; then
     echo "Building zkvm compiler image: $COMPILER_ZKVM_IMAGE"
-    docker build \
+    DOCKER_BUILDKIT=1 docker build \
         --file "docker/${ZKVM}/Dockerfile.compiler" \
         --tag "$COMPILER_ZKVM_IMAGE" \
         "${COMPILER_ZKVM_BUILD_ARGS[@]}" \
+        "${SECRET_ARGS[@]}" \
         .
 fi
 
 if [ "$BUILD_SERVER" = true ]; then
     echo "Building zkvm server image: $SERVER_ZKVM_IMAGE"
-    docker build \
+    DOCKER_BUILDKIT=1 docker build \
         --file "docker/${ZKVM}/Dockerfile.server" \
         --tag "$SERVER_ZKVM_IMAGE" \
         "${SERVER_ZKVM_BUILD_ARGS[@]}" \
+        "${SECRET_ARGS[@]}" \
         .
 fi
 
 if [ "$BUILD_CLUSTER" = true ]; then
     echo "Building zkvm cluster image: $CLUSTER_ZKVM_IMAGE"
-    docker build \
+    DOCKER_BUILDKIT=1 docker build \
         --file "docker/${ZKVM}/Dockerfile.cluster" \
         --tag "$CLUSTER_ZKVM_IMAGE" \
         "${CLUSTER_ZKVM_BUILD_ARGS[@]}" \
+        "${SECRET_ARGS[@]}" \
         .
 fi
 

.github/scripts/pull-or-build-base-zkvm-image.sh

@@ -95,5 +95,6 @@ else
     if [ -n "$CUDA_ARCHS" ]; then
         BUILD_ARGS+=(--cuda-archs "$CUDA_ARCHS")
     fi
+    # GITHUB_TOKEN is passed through environment if set
     "$SCRIPT_DIR/build-image.sh" "${BUILD_ARGS[@]}"
 fi

.github/workflows/build-and-push-images.yml

@@ -54,6 +54,9 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build ere-base and ere-base-${{ matrix.zkvm }} images
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/build-image.sh \
             --zkvm ${{ matrix.zkvm }} \
@@ -66,6 +69,9 @@ jobs:
           docker push ${{ needs.image_meta.outputs.registry }}/ere-base-${{ matrix.zkvm }}:${{ needs.image_meta.outputs.sha_tag }}
 
       - name: Build ere-compiler-${{ matrix.zkvm }} and ere-server-${{ matrix.zkvm }} images
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/build-image.sh \
             --zkvm ${{ matrix.zkvm }} \
@@ -110,6 +116,9 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build ere-base and ere-base-${{ matrix.zkvm }} images with CUDA enabled
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/build-image.sh \
             --zkvm ${{ matrix.zkvm }} \
@@ -123,6 +132,9 @@ jobs:
           docker push ${{ needs.image_meta.outputs.registry }}/ere-base-${{ matrix.zkvm }}:${{ needs.image_meta.outputs.sha_tag }}-cuda
 
       - name: Build ere-server-${{ matrix.zkvm }} image with CUDA enabled
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/build-image.sh \
             --zkvm ${{ matrix.zkvm }} \
@@ -162,6 +174,9 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build ere-cluster-${{ matrix.zkvm }} image with CUDA enabled
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/build-image.sh \
             --zkvm ${{ matrix.zkvm }} \

.github/workflows/test-zkvm.yml

@@ -97,6 +97,9 @@ jobs:
         run: bash .github/scripts/free-up-disk-space.sh
 
       - name: Pull or build ere-base and ere-base-${{ inputs.zkvm }} images with CUDA enabled
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           CACHED_TAG="${{ needs.image_meta.outputs.cached_image_tag }}"
           if [ -n "$CACHED_TAG" ]; then
@@ -110,6 +113,9 @@ jobs:
             --cuda-archs '${{ env.CUDA_ARCHS }}'
 
       - name: Build ere-server-${{ inputs.zkvm }} image with CUDA enabled
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/build-image.sh \
             --zkvm ${{ inputs.zkvm }} \
@@ -120,6 +126,9 @@ jobs:
 
       - name: Build ere-cluster-${{ inputs.zkvm }} image with CUDA enabled
         if: ${{ inputs.cluster && needs.image_meta.outputs.dockerfile_changed == 'true' }}
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/build-image.sh \
             --zkvm ${{ inputs.zkvm }} \
@@ -213,6 +222,9 @@ jobs:
 
       - name: Pull base zkvm image or build locally
         if: github.event_name == 'pull_request'
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/pull-or-build-base-zkvm-image.sh \
             --zkvm ${{ inputs.zkvm }} \
@@ -294,6 +306,9 @@ jobs:
 
       - name: Pull images or build locally
         if: github.event_name == 'pull_request'
+        env:
+          DOCKER_BUILDKIT: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           bash .github/scripts/pull-or-build-base-zkvm-image.sh \
             --zkvm ${{ inputs.zkvm }} \

docker/airbender/Dockerfile.base

@@ -13,7 +13,8 @@ RUN rustup default nightly-2026-02-10
 # Copy the Airbender SDK installer script from the workspace context
 COPY --chmod=755 scripts/sdk_installers/install_airbender_sdk.sh /tmp/install_airbender_sdk.sh
 
-# Run the Airbender SDK installation script.
-RUN /tmp/install_airbender_sdk.sh && rm /tmp/install_airbender_sdk.sh
+# Run the Airbender SDK installation script with secret mount
+RUN --mount=type=secret,id=github_token \
+    /tmp/install_airbender_sdk.sh && rm /tmp/install_airbender_sdk.sh
 
 CMD ["/bin/bash"]

docker/openvm/Dockerfile.base

@@ -11,10 +11,11 @@ RUN rustup default nightly
 # Copy the OpenVM SDK installer script from the workspace context
 COPY --chmod=755 scripts/sdk_installers/install_openvm_sdk.sh /tmp/install_openvm_sdk.sh
 
-# Run the OpenVM SDK installation script.
+# Run the OpenVM SDK installation script with secret mount
 # This script installs a specific toolchain
 # and installs cargo-openvm.
-RUN /tmp/install_openvm_sdk.sh && rm /tmp/install_openvm_sdk.sh
+RUN --mount=type=secret,id=github_token \
+    /tmp/install_openvm_sdk.sh && rm /tmp/install_openvm_sdk.sh
 
 # Verify cargo-openvm is accessible with the correct toolchain
 RUN cargo openvm --version

docker/risc0/Dockerfile.base

@@ -9,8 +9,15 @@ ARG RUSTFLAGS
 
 # Install protoc with same version as https://github.com/risc0/risc0/blob/v3.0.3/bento/dockerfiles/agent.dockerfile#L24-L26.
 # Only install when argument `CUDA` is set, in order to build `r0vm-cuda`.
-RUN [ -n "$CUDA" ] && \
-    (curl -o protoc.zip -L https://github.com/protocolbuffers/protobuf/releases/download/v31.1/protoc-31.1-linux-x86_64.zip \
+# Use authenticated GitHub API calls if token is available to avoid rate limiting
+RUN --mount=type=secret,id=github_token \
+    [ -n "$CUDA" ] && \
+    (if [ -f /run/secrets/github_token ]; then \
+        GITHUB_TOKEN=$(cat /run/secrets/github_token); \
+        curl -o protoc.zip -L -H "Authorization: Bearer $GITHUB_TOKEN" https://github.com/protocolbuffers/protobuf/releases/download/v31.1/protoc-31.1-linux-x86_64.zip; \
+    else \
+        curl -o protoc.zip -L https://github.com/protocolbuffers/protobuf/releases/download/v31.1/protoc-31.1-linux-x86_64.zip; \
+    fi \
     && unzip protoc.zip -d /usr/local) || true
 
 # Fully formed NVCC flags for CUDA arch targeting (e.g. "--generate-code arch=compute_120,code=sm_120")
@@ -24,9 +31,10 @@ ENV RISC0_VERSION="3.0.5" \
     RISC0_CPP_VERSION="2024.1.5" \
     RISC0_RUST_VERSION="1.94.1"
 
-# Run the Risc0 SDK installation script
+# Run the Risc0 SDK installation script with secret mount
 # It will use the RISC0_VERSION, RISC0_CPP_VERSION and RISC0_RUST_VERSION defined above.
-RUN /tmp/install_risc0_sdk.sh && rm /tmp/install_risc0_sdk.sh
+RUN --mount=type=secret,id=github_token \
+    /tmp/install_risc0_sdk.sh && rm /tmp/install_risc0_sdk.sh
 
 # Verify Risc0 installation (script also does this, but good for Dockerfile sanity)
 RUN echo "Verifying Risc0 installation in Dockerfile (post-script)..." && cargo risczero --version

docker/sp1/Dockerfile.base

@@ -19,9 +19,10 @@ COPY --chmod=755 scripts/sdk_installers/install_sp1_sdk.sh /tmp/install_sp1_sdk.
 ENV SP1_DIR="/root/.sp1" \
     SP1_VERSION="v6.1.0"
 
-# Run the SP1 SDK installation script
+# Run the SP1 SDK installation script with secret mount
 # It will use the SP1_DIR and SP1_VERSION defined above.
-RUN /tmp/install_sp1_sdk.sh && rm /tmp/install_sp1_sdk.sh
+RUN --mount=type=secret,id=github_token \
+    /tmp/install_sp1_sdk.sh && rm /tmp/install_sp1_sdk.sh
 
 # Update the image's persistent PATH to include SP1 binaries.
 # This uses the SP1_DIR defined above.

docker/zisk/Dockerfile.base

@@ -37,9 +37,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # Copy the ZisK SDK installer script from the workspace context
 COPY --chmod=755 scripts/sdk_installers/install_zisk_sdk.sh /tmp/install_zisk_sdk.sh
 
-# Run the ZisK SDK installation script using ziskup.
+# Run the ZisK SDK installation script using ziskup with secret mount
 # This script installs the 'zisk' Rust toolchain and `cargo-zisk`
-RUN /tmp/install_zisk_sdk.sh && \
+RUN --mount=type=secret,id=github_token \
+    /tmp/install_zisk_sdk.sh && \
     rm /tmp/install_zisk_sdk.sh
 
 # The 'zisk' Rust toolchain is now installed.

docker/zisk/Dockerfile.cluster

@@ -49,7 +49,13 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --de
 # Clone repo
 WORKDIR /app
 
-RUN git clone https://github.com/han0110/zisk.git --depth 1 --branch patch/v0.16.1 /app
+# Use authenticated git clone if GITHUB_TOKEN is available to avoid rate limiting
+RUN --mount=type=secret,id=github_token \
+    if [ -f /run/secrets/github_token ]; then \
+        GITHUB_TOKEN=$(cat /run/secrets/github_token); \
+        git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"; \
+    fi && \
+    git clone https://github.com/han0110/zisk.git --depth 1 --branch patch/v0.16.1 /app
 
 # Whether to enable CUDA feature or not.
 ARG CUDA

scripts/sdk_installers/install_airbender_sdk.sh

@@ -22,6 +22,22 @@ ensure_tool_installed() {
 }
 # --- End of Utility functions ---
 
+# Read GitHub token from Docker BuildKit secret mount if available
+# This helps avoid API rate limiting
+if [ -f /run/secrets/github_token ]; then
+    GITHUB_TOKEN=$(cat /run/secrets/github_token)
+fi
+
+# Configure git authentication for GitHub if GITHUB_TOKEN is available
+setup_git_auth() {
+    if [ -n "${GITHUB_TOKEN:-}" ]; then
+        echo "Configuring git authentication with GITHUB_TOKEN..."
+        git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
+    fi
+}
+
+setup_git_auth
+
 ensure_tool_installed "rustup" "to manage Rust toolchains"
 ensure_tool_installed "cargo" "to build and install Rust packages"
 

scripts/sdk_installers/install_openvm_sdk.sh

@@ -24,6 +24,22 @@ ensure_tool_installed() {
 
 echo "Installing OpenVM Toolchain..."
 
+# Read GitHub token from Docker BuildKit secret mount if available
+# This helps avoid API rate limiting
+if [ -f /run/secrets/github_token ]; then
+    GITHUB_TOKEN=$(cat /run/secrets/github_token)
+fi
+
+# Configure git authentication for GitHub if GITHUB_TOKEN is available
+setup_git_auth() {
+    if [ -n "${GITHUB_TOKEN:-}" ]; then
+        echo "Configuring git authentication with GITHUB_TOKEN..."
+        git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
+    fi
+}
+
+setup_git_auth
+
 ensure_tool_installed "rustup" "to manage Rust toolchains"
 ensure_tool_installed "git" "to install cargo-openvm from a git repository"
 ensure_tool_installed "cargo" "to build and install Rust packages"

scripts/sdk_installers/install_risc0_sdk.sh

@@ -30,6 +30,22 @@ ensure_tool_installed() {
 
 echo "Installing Risc0 Toolchain using rzup (latest release versions)..."
 
+# Read GitHub token from Docker BuildKit secret mount if available
+# This helps avoid API rate limiting
+if [ -f /run/secrets/github_token ]; then
+    GITHUB_TOKEN=$(cat /run/secrets/github_token)
+fi
+
+# Configure git authentication for GitHub if GITHUB_TOKEN is available
+setup_git_auth() {
+    if [ -n "${GITHUB_TOKEN:-}" ]; then
+        echo "Configuring git authentication with GITHUB_TOKEN..."
+        git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
+    fi
+}
+
+setup_git_auth
+
 ensure_tool_installed "curl" "to download the rzup installer"
 ensure_tool_installed "bash" "as the rzup installer script uses bash"
 

scripts/sdk_installers/install_sp1_sdk.sh

@@ -3,6 +3,22 @@ set -e # Exit immediately if a command exits with a non-zero status.
 
 echo "Installing Succinct SP1 Toolchain..."
 
+# Read GitHub token from Docker BuildKit secret mount if available
+# This helps avoid API rate limiting
+if [ -f /run/secrets/github_token ]; then
+    GITHUB_TOKEN=$(cat /run/secrets/github_token)
+fi
+
+# Configure git authentication for GitHub if GITHUB_TOKEN is available
+setup_git_auth() {
+    if [ -n "${GITHUB_TOKEN:-}" ]; then
+        echo "Configuring git authentication with GITHUB_TOKEN..."
+        git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
+    fi
+}
+
+setup_git_auth
+
 # Ensure prerequisites like curl are there
 if ! command -v curl &> /dev/null; then
     echo "Error: curl could not be found, please install it first." >&2
@@ -52,6 +68,13 @@ echo "  export PATH=\"${SP1_DIR}/bin:\$PATH\""
 echo "Then source your profile or open a new terminal."
 
 # Download CUDA prover (supports CUDA compute capabilities 80, 86, 89, 90, 100, 120)
+# Use authentication header if GITHUB_TOKEN is available
+if [ -n "${GITHUB_TOKEN:-}" ]; then
+    AUTH_HEADER="-H \"Authorization: Bearer $GITHUB_TOKEN\""
+else
+    AUTH_HEADER=""
+fi
+
 mkdir -p $HOME/.sp1/bin && \
-    curl -L "https://github.com/succinctlabs/sp1/releases/download/${SP1_VERSION}/sp1_gpu_server_${SP1_VERSION}_x86_64.tar.gz" | \
+    curl $AUTH_HEADER -L "https://github.com/succinctlabs/sp1/releases/download/${SP1_VERSION}/sp1_gpu_server_${SP1_VERSION}_x86_64.tar.gz" | \
     tar -xzf - -C $HOME/.sp1/bin