diff --git a/__tests__/buildx/bake.test.itg.ts b/__tests__/buildx/bake.test.itg.ts
index b3ce79a4..893b95b9 100644
--- a/__tests__/buildx/bake.test.itg.ts
+++ b/__tests__/buildx/bake.test.itg.ts
@@ -37,12 +37,18 @@ maybe('getDefinition', () => {
       ['binaries-cross'],
       path.join(fixturesDir, 'bake-buildx-0.10.4-binaries-cross.json')
     ],
+    [
+      'https://github.com/docker/test-docker-action.git#remote-private',
+      ['default'],
+      path.join(fixturesDir, 'bake-buildx-0.10.4-binaries-cross.json')
+    ]
   ])('given %p', async (source: string, targets: string[], out: string) => {
     const bake = new Bake();
     const expectedDef = <BakeDefinition>JSON.parse(fs.readFileSync(out, {encoding: 'utf-8'}).trim())
     expect(await bake.getDefinition({
       source: source,
-      targets: targets
+      targets: targets,
+      githubToken: process.env.GITHUB_TOKEN,
     })).toEqual(expectedDef);
   });
 });
diff --git a/src/buildx/bake.ts b/src/buildx/bake.ts
index 5299cae1..4b66b1cf 100644
--- a/src/buildx/bake.ts
+++ b/src/buildx/bake.ts
@@ -36,6 +36,8 @@ export interface BakeCmdOpts {
   sbom?: string;
   source?: string;
   targets?: Array<string>;
+
+  githubToken?: string; // for auth with remote definitions on private repos
 }
 
 export class Bake {
@@ -80,6 +82,10 @@ export class Bake {
         args.push('--set', override);
       }
     }
+    if (cmdOpts.githubToken) {
+      const gitAuthTokenSecret = Inputs.resolveBuildSecretString(`GIT_AUTH_TOKEN=${cmdOpts.githubToken}`);
+      args.push('--set', `*.secrets=${gitAuthTokenSecret}`);
+    }
     if (cmdOpts.load) {
       args.push('--load');
     }
diff --git a/src/buildx/inputs.ts b/src/buildx/inputs.ts
index b77c00b4..15aa8c5e 100644
--- a/src/buildx/inputs.ts
+++ b/src/buildx/inputs.ts
@@ -76,24 +76,23 @@ export class Inputs {
   }
 
   public static resolveBuildSecretString(kvp: string): string {
-    return Inputs.resolveBuildSecret(kvp, false);
+    const [key, file] = Inputs.resolveBuildSecret(kvp, false);
+    return `id=${key},src=${file}`;
   }
 
   public static resolveBuildSecretFile(kvp: string): string {
-    return Inputs.resolveBuildSecret(kvp, true);
+    const [key, file] = Inputs.resolveBuildSecret(kvp, true);
+    return `id=${key},src=${file}`;
   }
 
   public static resolveBuildSecretEnv(kvp: string): string {
     const [key, value] = parseKvp(kvp);
-
     return `id=${key},env=${value}`;
   }
 
-  public static resolveBuildSecret(kvp: string, file: boolean): string {
+  public static resolveBuildSecret(kvp: string, file: boolean): [string, string] {
     const [key, _value] = parseKvp(kvp);
-
     let value = _value;
-
     if (file) {
       if (!fs.existsSync(value)) {
         throw new Error(`secret file ${value} not found`);
@@ -102,7 +101,7 @@ export class Inputs {
     }
     const secretFile = Context.tmpName({tmpdir: Context.tmpDir()});
     fs.writeFileSync(secretFile, value);
-    return `id=${key},src=${secretFile}`;
+    return [key, secretFile];
   }
 
   public static getProvenanceInput(name: string): string {