diff --git a/.env.dist b/.env.dist
index e69de29..6c8d6d1 100644
--- a/.env.dist
+++ b/.env.dist
@@ -0,0 +1 @@
+PREREVIEW_REVIEWS_DATA_TOKEN=token-here
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 42fd4e8..691173b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,6 +42,8 @@ jobs:
           cache-to: type=gha,mode=max,ignore-error=true
           no-cache-filters: build
           target: prod
+          secrets: |
+            PREREVIEW_REVIEWS_DATA_TOKEN=${{ secrets.PREREVIEW_REVIEWS_DATA_TOKEN }}
 
       - name: 'Upload build'
         uses: actions/upload-artifact@v4.3.3
diff --git a/Dockerfile b/Dockerfile
index 66e3466..7914487 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,9 @@ COPY observablehq.config.js observablehq.config.js
 COPY src/ src/
 
 FROM builder AS build
-RUN npx observable build
+RUN --mount=type=secret,id=PREREVIEW_REVIEWS_DATA_TOKEN \
+  PREREVIEW_REVIEWS_DATA_TOKEN=$(cat /run/secrets/PREREVIEW_REVIEWS_DATA_TOKEN) \
+  npx observable build
 
 FROM caddy:2.8.4-alpine AS prod
 COPY Caddyfile /etc/caddy/Caddyfile