diff --git a/.gitignore b/.gitignore
index 646d70e1..3f168181 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 /tmp/
 /environment*
 /.vscode
+/ssh
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
diff --git a/Dockerfile b/Dockerfile
index 870e2818..680237fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,6 +6,9 @@ ENV LANG=C.UTF-8 \
     DEBIAN_FRONTEND=noninteractive
 
 ARG PY=3.12
+# UID / GID needed for git by ssh
+ARG UID
+ARG GID
 
 # binutils is needed for the ar command, used by pypandoc.ensure_pandoc_installed()
 RUN set -x \
@@ -55,5 +58,17 @@ RUN pip install --no-cache-dir -e /app/src/oca-github-bot
 
 # make work and home directory
 RUN mkdir /app/run && chmod ogu+rwx /app/run
+RUN groupadd -g $GID -o app
+RUN useradd -m -u $UID -g $GID -o -s /bin/bash app
+
 ENV HOME=/app/run
 WORKDIR /app/run
+
+# git: change all url to ssh instead of HTTP
+# in order to avoid GITHUB_TOKEN leaks in error messages
+RUN git config --global url.ssh://git@github.com/.insteadOf https://github.com/
+COPY ./ssh /home/app/.ssh/
+RUN chown app /home/app/.ssh
+RUN chown app /home/app/.ssh/*
+
+USER app
diff --git a/README.rst b/README.rst
index aa670344..f5af10cf 100644
--- a/README.rst
+++ b/README.rst
@@ -158,6 +158,14 @@ The bot URL must be exposed on the internet through a reverse
 proxy and configured as a GitHub webhook, using the secret configured
 in ``GITHUB_SECRET``.
 
+Private repo support
+===========
+
+If the bot needs to access private github repository, you should generate
+a new key, and give access to this key on github.
+If running from docker, it should be placed on a `ssh` directory on the root of this
+repo.
+
 Development
 ===========
 
@@ -233,6 +241,7 @@ Contributors
 * Sylvain Le Gal (https://twitter.com/legalsylvain)
 * Tecnativa - Pedro M. Baeza
 * Tecnativa - Víctor Martínez
+* Raphaël Reverdy <raphael.reverdy@akretion.com>
 
 Maintainers
 ===========