From 82383ddd667d5641abb6daf2f86a29e2e0663deb Mon Sep 17 00:00:00 2001
From: falcorocks <14293929+falcorocks@users.noreply.github.com>
Date: Thu, 12 Feb 2026 15:32:31 +0100
Subject: [PATCH] fix(docker): prioritize source_token over GitHub App token

GitHub App tokens cannot access GHSA temporary private forks.
When source_token is provided, use it directly and skip app
token generation.
---
 .github/workflows/docker.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 6d2e394..5092613 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -134,7 +134,7 @@ jobs:
           egress-policy: audit
 
       - name: Generate GitHub App token
-        if: inputs.source_repo != '' && inputs.source_repo != github.repository
+        if: inputs.source_repo != '' && inputs.source_repo != github.repository && secrets.source_token == ''
         id: app-token
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         with:
@@ -147,7 +147,7 @@ jobs:
         with:
           repository: ${{ inputs.source_repo || github.repository }}
           ref: ${{ inputs.source_ref || github.sha }}
-          token: ${{ steps.app-token.outputs.token || secrets.source_token || github.token }}
+          token: ${{ secrets.source_token || steps.app-token.outputs.token || github.token }}
           submodules: recursive
 
       - name: Set up Docker Buildx