From 9c4574808fbbeff297565b6cadc2106ad4019b56 Mon Sep 17 00:00:00 2001
From: ver4a <ver4a@uncontrol.me>
Date: Fri, 9 Jan 2026 00:27:22 +0100
Subject: [PATCH] feat: pass password to buildah login through stdin

This config makes it so that the registry password isn't passed as a command line
argument to an external command (buildah login), but only to an internal
command (echo). Thus the password can't be visible in process tree.
(e.g. by using ps).
---
 .forgejo/workflows/build-image.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/build-image.yaml b/.forgejo/workflows/build-image.yaml
index 6cd36ab..3cf6ed3 100644
--- a/.forgejo/workflows/build-image.yaml
+++ b/.forgejo/workflows/build-image.yaml
@@ -30,9 +30,10 @@ jobs:
 
       - name: 'Log in to registry'
         run: >
+          echo '${{ secrets.REGISTRY_PASSWORD }}' |
           buildah login
           -u '${{ vars.REGISTRY_USERNAME }}'
-          -p '${{ secrets.REGISTRY_PASSWORD }}'
+          --password-stdin
           '${{ vars.REGISTRY_DOMAIN }}'
 
       - name: 'Push :ci-dev to registry'
@@ -78,9 +79,10 @@ jobs:
 
       - name: 'Log in to registry'
         run: >
+          echo '${{ secrets.REGISTRY_PASSWORD }}' |
           buildah login
           -u '${{ vars.REGISTRY_USERNAME }}'
-          -p '${{ secrets.REGISTRY_PASSWORD }}'
+          --password-stdin
           '${{ vars.REGISTRY_DOMAIN }}'
 
       - name: 'Move :ci-dev to :stable'