diff --git a/.github/actions/setup-haxe/action.yml b/.github/actions/setup-haxe/action.yml
index 54db9bf79..a27d8bc68 100644
--- a/.github/actions/setup-haxe/action.yml
+++ b/.github/actions/setup-haxe/action.yml
@@ -17,6 +17,8 @@ inputs:
   targets:
     description: 'Targets we plan to compile to. Installs native dependencies needed.'
     required: true
+  gh-token:
+    description: 'GitHub secret for private repos as dependencies'
 
 runs:
   using: "composite"
@@ -73,7 +75,9 @@ runs:
     name: Install dependencies
     shell: bash
     run: |
-      haxelib --debug --global run hmm install
+      git config --global url.https://x-access-token:${{ inputs.gh-token }}@github.com/.insteadOf https://github.com/
+      haxelib --global run hmm install -q
+      git config --global --unset url.https://x-access-token:${{ inputs.gh-token }}@github.com/.insteadOf
       echo "TIMER_DONE=$(date +%s)" >> "$GITHUB_ENV"
 
   # by default use a shared hxcpp cache
diff --git a/.github/workflows/build-game.yml b/.github/workflows/build-game.yml
index 3bfea20f2..b262b08df 100644
--- a/.github/workflows/build-game.yml
+++ b/.github/workflows/build-game.yml
@@ -23,9 +23,8 @@ jobs:
 
     steps:
     - name: Make git happy
-      if: ${{ matrix.target == 'macos' }}
       run: |
-        git config --global --add safe.directory $GITHUB_WORKSPACE
+        git config --global --replace-all safe.directory $GITHUB_WORKSPACE
 
     - name: Get checkout token
       uses: actions/create-github-app-token@v1
@@ -43,6 +42,8 @@ jobs:
 
     - name: Setup build environment
       uses: ./.github/actions/setup-haxe
+      with:
+        gh-token: ${{ steps.app_token.outputs.token }}
 
     - name: Build game
       if: ${{ matrix.target == 'windows' }}
@@ -87,6 +88,7 @@ jobs:
       with:
         submodules: 'recursive'
         token: ${{ steps.app_token.outputs.token }}
+        persist-credentials: false
 
     - name: Config haxelib
       run: |
@@ -103,7 +105,8 @@ jobs:
     - if: ${{ steps.cache-hmm.outputs.cache-hit != 'true' }}
       name: Install dependencies
       run: |
-        haxelib --global run hmm install
+        git config --global url.https://x-access-token:${{ steps.app_token.outputs.token }}@github.com/.insteadOf https://github.com/
+        haxelib --global run hmm install -q
 
     - if: ${{ matrix.target != 'html5' }}
       name: Restore hxcpp cache
diff --git a/build/Dockerfile b/build/Dockerfile
index 88b44f7a6..a52749e11 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -28,6 +28,7 @@ echo 'fs.inotify.max_user_instances=1280' | tee -a /etc/sysctl.conf
 EOF
 
 ENV DEBIAN_FRONTEND="noninteractive"
+ENV GIT_TERMINAL_PROMPT="0"
 
 # Prepare APT
 RUN <<EOF
@@ -70,6 +71,8 @@ RUN <<EOF
 cat <<EOC >> /etc/gitconfig
 [safe]
   directory = *
+[credential]
+  helper = cache
 EOC
 
 ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> /etc/ssh/ssh_known_hosts