From c790a5b5497adb834c5266577afd7ef64fd05b88 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Mon, 9 Feb 2026 17:03:08 +0100
Subject: [PATCH] buildx(build): handle domain when checking git auth token
 secret

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 __tests__/buildx/build.test.ts | 9 +++++----
 src/buildx/build.ts            | 6 ++++--
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/__tests__/buildx/build.test.ts b/__tests__/buildx/build.test.ts
index 66593664..c7b51e34 100644
--- a/__tests__/buildx/build.test.ts
+++ b/__tests__/buildx/build.test.ts
@@ -348,10 +348,11 @@ describe('resolveAttestationAttrs', () => {
 describe('hasGitAuthTokenSecret', () => {
   // prettier-ignore
   test.each([
-    [['A_SECRET=abcdef0123456789'], false],
-    [['GIT_AUTH_TOKEN=abcdefghijklmno=0123456789'], true],
-  ])('given %p secret', async (kvp: Array<string>, expected: boolean) => {
-    expect(Build.hasGitAuthTokenSecret(kvp)).toBe(expected);
+    [['A_SECRET=abcdef0123456789'], undefined, false],
+    [['GIT_AUTH_TOKEN=abcdefghijklmno=0123456789'], undefined, true],
+    [['GIT_AUTH_TOKEN.github.com=abcdefghijklmno=0123456789'], 'github.com', true],
+  ])('given %p secret', async (kvp: Array<string>, domain: string | undefined, expected: boolean) => {
+    expect(Build.hasGitAuthTokenSecret(kvp, domain)).toBe(expected);
   });
 });
 
diff --git a/src/buildx/build.ts b/src/buildx/build.ts
index 2db3aaee..4de6ceaf 100644
--- a/src/buildx/build.ts
+++ b/src/buildx/build.ts
@@ -310,9 +310,11 @@ export class Build {
     return res.join(',');
   }
 
-  public static hasGitAuthTokenSecret(secrets: string[]): boolean {
+  public static hasGitAuthTokenSecret(secrets: string[], domain?: string): boolean {
     for (const secret of secrets) {
-      if (secret.startsWith('GIT_AUTH_TOKEN=')) {
+      if (domain && secret.startsWith(`GIT_AUTH_TOKEN.${domain}=`)) {
+        return true;
+      } else if (secret.startsWith('GIT_AUTH_TOKEN=')) {
         return true;
       }
     }