fix: validate GitHub token format before using

app.py

@@ -574,15 +574,29 @@ class KanikoBuilder:
         self.state.log(f"Registry auth configured for {self.config.registry_url}")
         return True
 
+    def _is_valid_github_token(self, token: str) -> bool:
+        """Check if token looks like a valid GitHub token."""
+        if not token or len(token) < 10:
+            return False
+        # GitHub PAT formats: ghp_, gho_, ghu_, ghs_, ghr_, github_pat_
+        valid_prefixes = ("ghp_", "gho_", "ghu_", "ghs_", "ghr_", "github_pat_")
+        return token.startswith(valid_prefixes)
+
     def clone_repo(self, build_config: BuildConfig) -> Path:
         target_dir = Path(tempfile.mkdtemp())
+        # Prefer explicit token from request, fall back to config
         token = build_config.github_token or self.config.github_token
         repo_url = build_config.repo_url
+        use_auth = False
 
-        if token and "github.com" in repo_url:
+        # Only use token if it looks valid
+        if token and self._is_valid_github_token(token) and "github.com" in repo_url:
             repo_url = repo_url.replace("https://github.com", f"https://{token}@github.com")
+            use_auth = True
             self.state.log(f"Cloning {build_config.repo_url} ({build_config.branch}) [authenticated]")
         else:
+            if token and not self._is_valid_github_token(token):
+                self.state.log(f"Skipping invalid token format, trying public clone")
             self.state.log(f"Cloning {build_config.repo_url} ({build_config.branch})")
 
         try:
@@ -591,7 +605,7 @@ class KanikoBuilder:
             self.state.log(f"Cloned to {target_dir}")
             return target_dir
         except Exception as e:
-            error_msg = mask_token(str(e), token)
+            error_msg = mask_token(str(e), token) if token else str(e)
             self.state.log(f"Clone failed: {error_msg}", level="error")
             raise RuntimeError(f"Clone failed: {error_msg}")