diff --git a/.github/workflows/build-self-host.yml b/.github/workflows/build-self-host.yml
index e4ccb2eb2d..39fa3a0f43 100644
--- a/.github/workflows/build-self-host.yml
+++ b/.github/workflows/build-self-host.yml
@@ -48,11 +48,17 @@ jobs:
         run: az acr login -n bitwardenqa
 
       - name: Login to Azure - Prod Subscription
-        if: ${{ env.is_publish_branch == 'true' }}
         uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
         with:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
+      - name: Retrieve github PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        with:
+          keyvault: "bitwarden-prod-kv"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
       - name: Retrieve secrets
         if: ${{ env.is_publish_branch == 'true' }}
         id: retrieve-secrets
@@ -62,7 +68,8 @@ jobs:
           secrets: "docker-password,
             docker-username,
             dct-delegate-2-repo-passphrase,
-            dct-delegate-2-key"
+            dct-delegate-2-key
+            github-pat-bitwarden-devops-bot-repo-scope"
 
       - name: Log into Docker
         if: ${{ env.is_publish_branch == 'true' }}
@@ -118,6 +125,8 @@ jobs:
             linux/arm64/v8
           push: true
           tags: ${{ steps.tag-list.outputs.tags }}
+          secrets: |
+            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
       - name: Log out of Docker and disable Docker Notary
         if: ${{ env.is_publish_branch == 'true' }}
diff --git a/docker-unified/Dockerfile b/docker-unified/Dockerfile
index 110ca7991b..04952c3d1c 100644
--- a/docker-unified/Dockerfile
+++ b/docker-unified/Dockerfile
@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.2
 ###############################################
 #                 Build stage                 #
 ###############################################
@@ -13,7 +14,12 @@ RUN apt-get update && apt-get install -y \
 WORKDIR /tmp
 
 # Download tags from 'clients' repository
-RUN curl https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json
+RUN --mount=type=secret,id=GH_PAT,target=/etc/secrets/GH_PAT if [ -e "/etc/secrets/GH_PAT" ]; then \
+curl --header "Authorization: token $(cat /etc/secrets/GH_PAT)" \
+  https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json ; else \
+  curl https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json ; fi
+
+RUN cat tags.json
 
 # Grab last tag/release of the 'web' client
 RUN cat tags.json | jq -r 'last(.[] | select(.ref|test("refs/tags/web-v[0-9]{4}.[0-9]{1,2}.[0-9]+"))) | .ref | split("/")[2]' > tag.txt