From 1c9d6e264fd2e31ea37d4c90540ea2ee9079f892 Mon Sep 17 00:00:00 2001
From: Kevin Pouget <kpouget@redhat.com>
Date: Tue, 12 May 2026 22:18:10 +0200
Subject: [PATCH] .github: workflows: image-push: remove GHA extraheader token
 from the image

(short life pull token, not a proper leak)
---
 .github/workflows/image-push.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/image-push.yaml b/.github/workflows/image-push.yaml
index 22be67a7..4cd5141f 100644
--- a/.github/workflows/image-push.yaml
+++ b/.github/workflows/image-push.yaml
@@ -12,6 +12,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Remove GitHub credentials from git config
+        run: |
+          # Remove the GitHub token from git config to prevent secret leakage in container
+          git config --unset-all http.https://github.com/.extraheader || true
+          # Reconfigure for anonymous access (public repo)
+          git remote set-url origin https://github.com/openshift-psap/forge
+
       - name: Determine tags
         id: tags
         run: |