In image-builder-mk3 image-builds happen in headless Gitpod workspaces. Those workspaces are well isolated from each other and the node they run on. However, there's no such isolation between things that run inside a workspace, e.g. buildkit. If we placed the credentials required to push the image inside the workspace, users could potentially access those credentials during the image build.

We need to find a way so that we can push the image, but don't give users access to those credentials at build time.