We have a private github enterprise where all repo access is authenticated. SSH is not available, only personal access tokens.
Is it possible to supply the PAT to ansible-builder so that I can download collections from our GHE repos?
collections:
Where do you normally supply the PAT?
Maybe this might be worth a try:
collections:
- name: https://username:token@private.github.enterprise/repo/collection.git
type: git
version: 1.0.0
If you put the token in there, you should make sure afterwards that the generated image doesn’t contain the token. It could be (I don’t know and haven’t checked) that ansible-builder stores some information from the build process in the image for introspection reasons, and this could also contain information on which collections where installed (and the easiest way to do that is to simply keep the requirements.yml file, which includes the token). Maybe it doesn’t do that, but I’d still check, just in case 
Just for clarity, it is not recommended to use git repos for production collection installation. It is meant as a developer shortcut. You should investigate installing some form of galaxy server to serve out the artifacts. Or at the very minimum, host the artifacts on some other internal non-authenticated web service.
I just tested this with Gitlab and it should work.
$ cat requirements.yml
collections:
- name: "https://oauth2:mytoken@gitlab.example.com/example/example.git"
type: git
version: main
$ ansible-galaxy collection install -r requirements.ymlGood call, but judging by the Containerfile created by ansible-builder (or Podman) it does not keep the requirements.yml file.
RUN ansible-galaxy role install $ANSIBLE_GALAXY_CLI_ROLE_OPTS -r requirements.yml --roles-path "/usr/share/ansible/roles"
RUN ANSIBLE_GALAXY_DISABLE_GPG_VERIFY=1 ansible-galaxy collection install $ANSIBLE_GALAXY_CLI_COLLECTION_OPTS -r requirements.yml --collections-path "/usr/share/ansible/collections"