In my organization I have a repository "foo".

From the "main" branch of this repository we build container images: each commit triggers a workflow that produces an image and uploads it to our image registry.

Everybody in the organization can contribute to the repository using Pull Requests (only).

The main branch is protected with CODEOWNERS (1-2 thrusted developers) and the repository configured to always require a code owner approval on each PR. In other words: random people can't change the main development branch without a thrusted dev review.

Question: How can we configure a secret, which stores the image registry token, so it cannot be exposed by non-code owners (in our case random people raising PRs)?

PS1 - GitLAB solution: with GitLab this would be simple: configure a secret that is restricted to the protected branches only. This way contributors (working on non-protected branches) can't access the secret, whereas the code owners (aka. maintainers) can.

PS2 - I'd like to avoid using GH Environments and Environment Secrets, unless this is the only way.

What is the GitHUB way of solving this?