workflows: Use GH_TOKEN to avoid GitHub rate limits

Building Kata components requires downloading tools like ORAS, cloud-hypervisor,
nydus, jq, cosign, upx, and gh CLI from GitHub releases. Without authentication,
these downloads can hit GitHub's rate limits causing build failures.

This commit ensures GH_TOKEN is passed down to all build-related steps:

GitHub Actions workflows:
- build-kata-static-tarball-amd64.yaml
- build-kata-static-tarball-arm64.yaml
- build-kata-static-tarball-s390x.yaml
- build-kata-static-tarball-ppc64le.yaml
- build-kata-static-tarball-riscv64.yaml

Docker build infrastructure:
- kata-deploy-binaries-in-docker.sh: Pass GH_TOKEN to docker build and run
- dockerbuild/Dockerfile: Accept GH_TOKEN as build arg
- dockerbuild/install_oras.sh: Use GH_TOKEN for ORAS downloads

Other scripts with GitHub downloads:
- lib.sh: gh CLI download
- ubuntu/Dockerfile.in: cosign download
- kata-deploy/Dockerfile: jq and nydus-snapshotter downloads
- nvidia_rootfs.sh: upx download
- cloud-hypervisor/build-static-clh.sh: cloud-hypervisor binary download
- nydus/build.sh: nydus binary download

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -110,6 +110,7 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
           KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: Parse OCI image name and digest
         id: parse-oci-segments
@@ -223,6 +224,7 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
           KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -318,6 +320,7 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
           MEASURED_ROOTFS: yes
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -91,6 +91,7 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
           KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: Parse OCI image name and digest
         id: parse-oci-segments
@@ -198,6 +199,7 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
           KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -288,6 +290,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/build-kata-static-tarball-ppc64le.yaml

@@ -78,6 +78,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -144,6 +145,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -219,6 +221,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/build-kata-static-tarball-riscv64.yaml

@@ -65,6 +65,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -87,6 +87,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: Parse OCI image name and digest
         id: parse-oci-segments
@@ -180,6 +181,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -308,6 +310,7 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
           MEASURED_ROOTFS: no
+          GH_TOKEN: ${{ github.token }}
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh

@@ -128,7 +128,12 @@ setup_nvidia_gpu_rootfs_stage_one() {
 	popd  >> /dev/null
 
 	pushd "${BUILD_DIR}" >> /dev/null
-	curl -LO "https://github.com/upx/upx/releases/download/v4.2.4/upx-4.2.4-${distro_arch}_linux.tar.xz"
+	# Use GH_TOKEN for authenticated requests to avoid rate limiting
+	curl_auth_header=""
+	if [[ -n "${GH_TOKEN:-}" ]]; then
+		curl_auth_header="-H \"Authorization: token ${GH_TOKEN}\""
+	fi
+	eval curl -LO ${curl_auth_header} "https://github.com/upx/upx/releases/download/v4.2.4/upx-4.2.4-${distro_arch}_linux.tar.xz"
 	tar xvf "upx-4.2.4-${distro_arch}_linux.tar.xz"
 	popd  >> /dev/null
 }

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in

@@ -87,6 +87,8 @@ RUN ARCH=$(uname -m); \
 
 RUN pip install --no-cache-dir pyinstaller==6.9.0 || pip install --no-cache-dir pyinstaller==6.9.0 --break-system-packages
 
+# GH_TOKEN is used to authenticate with GitHub API to avoid rate limiting
+ARG GH_TOKEN
 # pin cosign to 3.0.2
 RUN ARCH=$(uname -m); \
 	cosign_arch=""; \
@@ -95,10 +97,12 @@ RUN ARCH=$(uname -m); \
 		"x86_64") cosign_arch="amd64" ;; \
 		*) echo "Unsupported architecture for cosign: ${ARCH}" && exit 0 ;; \
 	esac; \
-	curl -O -L "https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign_3.0.2_${cosign_arch}.deb" && \
+	curl_auth_header=""; \
+	if [[ -n "${GH_TOKEN:-}" ]]; then curl_auth_header="-H \"Authorization: token ${GH_TOKEN}\""; fi; \
+	eval curl -O -L ${curl_auth_header} "https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign_3.0.2_${cosign_arch}.deb" && \
 	# In order to avoid the chicken-egg problem of the need of cosign to verify the cosign binary, \
 	# let's verify the checksum instead. \
-	curl -O -L "https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign_checksums.txt" && \
+	eval curl -O -L ${curl_auth_header} "https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign_checksums.txt" && \
 	grep -F ${cosign_arch}.deb cosign_checksums.txt | sha256sum --check - && \
 	dpkg -i "cosign_3.0.2_${cosign_arch}.deb" && \
 	rm -f "cosign_3.0.2_${cosign_arch}.deb"* cosign_checksum*.txt

tools/packaging/kata-deploy/Dockerfile

@@ -14,6 +14,8 @@ FROM quay.io/kata-containers/golang:1.24-alpine AS nydus-binary-downloader
 # in versions.yaml
 ARG NYDUS_SNAPSHOTTER_VERSION=v0.15.2
 ARG NYDUS_SNAPSHOTTER_REPO=https://github.com/containerd/nydus-snapshotter
+# GH_TOKEN is used to authenticate with GitHub API to avoid rate limiting
+ARG GH_TOKEN
 
 RUN \
 	mkdir -p /opt/nydus-snapshotter && \
@@ -21,7 +23,9 @@ RUN \
 	if [[ "${ARCH}" == "x86_64" ]]; then ARCH=amd64 ; fi && \
 	if [[ "${ARCH}" == "aarch64" ]]; then ARCH=arm64; fi && \
 	apk add --no-cache curl && \
-	curl -fOL --progress-bar ${NYDUS_SNAPSHOTTER_REPO}/releases/download/${NYDUS_SNAPSHOTTER_VERSION}/nydus-snapshotter-${NYDUS_SNAPSHOTTER_VERSION}-linux-${ARCH}.tar.gz && \
+	curl_auth_header=""; \
+	if [[ -n "${GH_TOKEN:-}" ]]; then curl_auth_header="-H \"Authorization: token ${GH_TOKEN}\""; fi && \
+	eval curl -fOL --progress-bar ${curl_auth_header} ${NYDUS_SNAPSHOTTER_REPO}/releases/download/${NYDUS_SNAPSHOTTER_VERSION}/nydus-snapshotter-${NYDUS_SNAPSHOTTER_VERSION}-linux-${ARCH}.tar.gz && \
 	tar xvzpf nydus-snapshotter-${NYDUS_SNAPSHOTTER_VERSION}-linux-${ARCH}.tar.gz -C /opt/nydus-snapshotter && \
 	rm nydus-snapshotter-${NYDUS_SNAPSHOTTER_VERSION}-linux-${ARCH}.tar.gz
 
@@ -33,6 +37,8 @@ FROM base
 
 ARG KATA_ARTIFACTS=./kata-static.tar.zst
 ARG DESTINATION=/opt/kata-artifacts
+# GH_TOKEN is used to authenticate with GitHub API to avoid rate limiting
+ARG GH_TOKEN
 
 COPY ${KATA_ARTIFACTS} /
 
@@ -51,9 +57,11 @@ RUN \
 	if [ "${ARCH}" = "aarch64" ]; then ARCH=arm64; fi && \
 	DEBIAN_ARCH=${ARCH} && \
 	if [ "${DEBIAN_ARCH}" = "ppc64le" ]; then DEBIAN_ARCH=ppc64el; fi && \
+	curl_auth_header=""; \
+	if [ -n "${GH_TOKEN:-}" ]; then curl_auth_header="-H \"Authorization: token ${GH_TOKEN}\""; fi && \
 	curl -fL --progress-bar -o /usr/bin/kubectl https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl && \
 	chmod +x /usr/bin/kubectl && \
-	curl -fL --progress-bar -o /usr/bin/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-${DEBIAN_ARCH} && \
+	eval curl -fL --progress-bar ${curl_auth_header} -o /usr/bin/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-${DEBIAN_ARCH} && \
 	chmod +x /usr/bin/jq && \
 	mkdir -p ${DESTINATION} && \
 	tar --zstd -xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \

tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile

@@ -8,6 +8,8 @@ ENV INSTALL_IN_GOPATH=false
 # Required for libxml2-dev
 ENV TZ=Etc/UTC
 ARG ARCH
+# GH_TOKEN is used to authenticate with GitHub API to avoid rate limiting
+ARG GH_TOKEN
 
 COPY install_yq.sh /usr/bin/install_yq.sh
 COPY install_oras.sh /usr/bin/install_oras.sh
@@ -15,6 +17,7 @@ COPY install_oras.sh /usr/bin/install_oras.sh
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # Install yq, oras, and docker
+# Note: GH_TOKEN is passed to install_oras.sh to avoid GitHub rate limiting
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
@@ -26,7 +29,7 @@ RUN apt-get update && \
         sudo && \
     apt-get clean && rm -rf /var/lib/apt/lists/ && \
     install_yq.sh && \
-    install_oras.sh
+    GH_TOKEN="${GH_TOKEN}" install_oras.sh
 
 ARG IMG_USER=kata-builder
 ARG UID=1000

tools/packaging/kata-deploy/local-build/dockerbuild/install_oras.sh

@@ -37,7 +37,12 @@ fi
 oras_tarball="oras_${oras_required_version#v}_linux_${arch}.tar.gz"
 
 echo "Downloading ORAS ${oras_required_version}"
-curl -OL https://github.com/oras-project/oras/releases/download/${oras_required_version}/${oras_tarball}
+# Use GH_TOKEN for authenticated requests to avoid rate limiting
+curl_auth_header=""
+if [[ -n "${GH_TOKEN:-}" ]]; then
+	curl_auth_header="-H \"Authorization: token ${GH_TOKEN}\""
+fi
+eval curl -OL ${curl_auth_header} https://github.com/oras-project/oras/releases/download/${oras_required_version}/${oras_tarball}
 
 echo "Installing ORAS to ${install_dest}"
 sudo mkdir -p "${install_dest}"

tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh

@@ -69,6 +69,7 @@ if [ ! -d "$HOME/.docker" ]; then
 fi
 
 "${script_dir}"/kata-deploy-copy-yq-installer.sh
+GH_TOKEN="${GH_TOKEN:-}"
 docker build -q -t build-kata-deploy \
 	--build-arg IMG_USER="${USER}" \
 	--build-arg UID=${uid} \
@@ -77,6 +78,7 @@ docker build -q -t build-kata-deploy \
 	--build-arg https_proxy="${https_proxy}" \
 	--build-arg HOST_DOCKER_GID=${docker_gid} \
 	--build-arg ARCH="${ARCH}" \
+	--build-arg GH_TOKEN="${GH_TOKEN}" \
 	"${script_dir}/dockerbuild/"
 
 ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-}"
@@ -120,6 +122,7 @@ docker run \
 	-v /var/run/docker.sock:/var/run/docker.sock \
 	-v "${kata_dir}:${kata_dir}" \
 	--env USER=${USER} \
+	--env GH_TOKEN="${GH_TOKEN}" \
 	--env ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY}" \
 	--env ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY}" \
 	--env ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME}" \

tools/packaging/scripts/lib.sh

@@ -85,7 +85,12 @@ get_gh() {
 	fi
 
 	local goarch=$(arch_to_golang $(uname -m))
-	curl -sSL https://github.com/cli/cli/releases/download/v2.37.0/gh_2.37.0_linux_${goarch}.tar.gz | tar -xz
+	# Use GH_TOKEN for authenticated requests to avoid rate limiting
+	local curl_auth_header=""
+	if [[ -n "${GH_TOKEN:-}" ]]; then
+		curl_auth_header="-H \"Authorization: token ${GH_TOKEN}\""
+	fi
+	eval curl -sSL ${curl_auth_header} https://github.com/cli/cli/releases/download/v2.37.0/gh_2.37.0_linux_${goarch}.tar.gz | tar -xz
 	mv gh_2.37.0_linux_${goarch}/bin/gh "${gh_cli}"
 	rm -rf gh_2.37.0_linux_amd64
 }

tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh

@@ -47,7 +47,12 @@ pull_clh_released_binary() {
 	[ "${ARCH}" == "aarch64" ] && \
 		cloud_hypervisor_binary="${cloud_hypervisor_binary}-aarch64"
 
-	curl --fail -L ${cloud_hypervisor_binary} -o cloud-hypervisor-static || return 1
+	# Use GH_TOKEN for authenticated requests to avoid rate limiting
+	curl_auth_header=""
+	if [[ -n "${GH_TOKEN:-}" ]]; then
+		curl_auth_header="-H \"Authorization: token ${GH_TOKEN}\""
+	fi
+	eval curl --fail -L ${curl_auth_header} ${cloud_hypervisor_binary} -o cloud-hypervisor-static || return 1
 	mkdir -p cloud-hypervisor
 	mv -f cloud-hypervisor-static cloud-hypervisor/cloud-hypervisor
 	chmod +x cloud-hypervisor/cloud-hypervisor

tools/packaging/static-build/nydus/build.sh

@@ -28,14 +28,20 @@ nydus_tarball_url="${nydus_url}/releases/download"
 file_name="nydus-static-${nydus_version}-linux-$(arch_to_golang $arch).tgz"
 download_url="${nydus_tarball_url}/${nydus_version}/${file_name}"
 
+# Use GH_TOKEN for authenticated requests to avoid rate limiting
+curl_auth_header=""
+if [[ -n "${GH_TOKEN:-}" ]]; then
+	curl_auth_header="-H \"Authorization: token ${GH_TOKEN}\""
+fi
+
 info "Download nydus version: ${nydus_version} from ${download_url}"
-curl -o ${file_name} -L $download_url
+eval curl -o ${file_name} -L ${curl_auth_header} $download_url
 
 sha256sum="${file_name}.sha256sum"
 sha256sum_url="${nydus_tarball_url}/${nydus_version}/${sha256sum}"
 
 info "Download nydus ${sha256sum} from ${sha256sum_url}"
-curl -o ${sha256sum} -L $sha256sum_url
+eval curl -o ${sha256sum} -L ${curl_auth_header} $sha256sum_url
 
 sha256sum -c ${sha256sum}
 tar zxvf ${file_name}