opensafely-core · bloodearnest · Jan 21, 2026
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -6,7 +6,8 @@ on:
 permissions:
   contents: read
   packages: write
-
+env:
+  UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }}
 jobs:
   matrix:
     runs-on: ubuntu-22.04

diff --git a/.gitignore b/.gitignore
@@ -16,3 +16,4 @@ pkg.lock.bak
 metadata/
 
 .env
+.secrets
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -6,6 +6,8 @@ services:
       context: .
       dockerfile: ${MAJOR_VERSION}/Dockerfile
       target: r
+      secrets:
+        - ubuntu_pro_token
       cache_from:  # should speed up the build in CI, where we have a cold cache
         - ghcr.io/opensafely-core/base-docker:${BASE}
         - ghcr.io/opensafely-core/r:${MAJOR_VERSION}
@@ -49,3 +51,7 @@ services:
     environment:
       HOSTPLATFORM: ${HOSTPLATFORM}
       HOSTUID: ${HOSTUID}
+
+secrets:
+  ubuntu_pro_token:
+    file: ${UBUNTU_PRO_TOKEN_FILE:-.secrets/ubuntu_pro_token}
diff --git a/justfile b/justfile
@@ -1,11 +1,25 @@
 set dotenv-load := true
 
+export UBUNTU_PRO_TOKEN_FILE := env_var_or_default('UBUNTU_PRO_TOKEN_FILE', justfile_directory() + "/.secrets/ubuntu_pro_token")
 #enable modern docker build features
 export DOCKER_BUILDKIT := "1"
 export COMPOSE_DOCKER_CLI_BUILD := "1"
 
+
+ensure-pro-token:
+  #!/bin/bash
+  set -euo pipefail
+  token_file="{{ UBUNTU_PRO_TOKEN_FILE }}"
+  if test -z "${UBUNTU_PRO_TOKEN:-}"; then
+    echo "UBUNTU_PRO_TOKEN is required to create $token_file" >&2
+    exit 1
+  fi
+  mkdir -p "$(dirname "$token_file")"
+  umask 077
+  printf '%s' "$UBUNTU_PRO_TOKEN" > "$token_file"
+
 # build the R image locally
-build version:
+build version: ensure-pro-token
     #!/usr/bin/env bash
     set -euo pipefail
 
@@ -42,7 +56,7 @@ add-package-v1 package repos="NULL":
     bash v1/scripts/add-package.sh {{ package }} {{ repos }}
 
 # r image containing rstudio-server
-build-rstudio version:
+build-rstudio version: ensure-pro-token
     docker compose --env-file {{ version }}/env build --pull rstudio
 
 # test the locally built image

diff --git a/v1/Dockerfile b/v1/Dockerfile
@@ -9,6 +9,7 @@ COPY v1/dependencies.txt /root/dependencies.txt
 
 # add cran repo for R packages and install
 RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 \
+    --mount=type=secret,id=ubuntu_pro_token,required=true \
     echo "deb https://cloud.r-project.org/bin/linux/ubuntu focal-cran40/" > /etc/apt/sources.list.d/cran.list &&\
     /usr/lib/apt/apt-helper download-file 'https://cloud.r-project.org/bin/linux/ubuntu/marutter_pubkey.asc' /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc &&\
     /root/docker-apt-install.sh /root/dependencies.txt
@@ -24,7 +25,9 @@ FROM base-r as builder
 
 # install build time dependencies 
 COPY v1/build-dependencies.txt /root/build-dependencies.txt
-RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 /root/docker-apt-install.sh /root/build-dependencies.txt
+RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 \
+    --mount=type=secret,id=ubuntu_pro_token,required=true \
+    /root/docker-apt-install.sh /root/build-dependencies.txt
 
 RUN mkdir -p /cache /renv/lib
 
@@ -108,7 +111,9 @@ FROM r as rstudio
 
 # Install rstudio-server (and a few dependencies)
 COPY rstudio/rstudio-dependencies.txt /root/rstudio-dependencies.txt
-RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 /root/docker-apt-install.sh /root/rstudio-dependencies.txt &&\
+RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 \
+    --mount=type=secret,id=ubuntu_pro_token,required=true \
+    /root/docker-apt-install.sh /root/rstudio-dependencies.txt &&\
     test -f /var/cache/apt/"${RSTUDIO_DEB}" ||\
     /usr/lib/apt/apt-helper download-file "${RSTUDIO_BASE_URL}${RSTUDIO_DEB}" /var/cache/apt/"${RSTUDIO_DEB}" &&\
     apt-get install --no-install-recommends -y /var/cache/apt/"${RSTUDIO_DEB}"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -16,3 +16,4 @@ pkg.lock.bak
		metadata/

		.env
		.secrets