diff --git a/README.md b/README.md
index 250fdf6..d52b6ad 100644
--- a/README.md
+++ b/README.md
@@ -315,7 +315,7 @@ smoketests on them.
 
 2. To build packages using `mbx`:
 
-    mbx package --repo <repo, default: shapeblue/cloudstack> --tag <tag|branch|PR, default: main> --distro <distro - el7|el8|el9|debian, default: el8> --output-dir <output directory, default: /export/testing/builds> --flags <maven build flags, default: ''>
+    mbx package --repo <repo, default: shapeblue/cloudstack> --tag <tag|branch|PR, default: main> --distro <distro - el7|el8|el9|debian, default: el8> --output-dir <output directory, default: /export/testing/builds> --flags <maven build flags, default: ''> --github-token <github token, optional, falls back to GITHUB_TOKEN env var>
 
 2. To deploy an environment, run:
 
diff --git a/files/build.sh b/files/build.sh
index 84e6ec3..80a7e2a 100644
--- a/files/build.sh
+++ b/files/build.sh
@@ -59,6 +59,23 @@ echo "PR ID: $PR_ID"
 echo "ACS Branch: $ACS_BRANCH"
 echo "Distro: $DISTRO"
 echo "Flags: $FLAGS"
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  echo "GitHub token: configured"
+else
+  echo "GitHub token: not set"
+fi
+
+git_auth_args=()
+curl_auth_args=()
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  github_git_auth_b64="$(printf 'x-access-token:%s' "$GITHUB_TOKEN" | base64 | tr -d '\n')"
+  git_auth_args=(-c "http.https://github.com/.extraheader=Authorization: Basic $github_git_auth_b64")
+  curl_auth_args=(-H "Authorization: Bearer $GITHUB_TOKEN")
+fi
+
+run_git() {
+  git "${git_auth_args[@]}" "$@"
+}
 
 export ROOT=/jenkins
 cd $ROOT
@@ -67,47 +84,47 @@ rm -fr deps/*jar deps/awsapi-lib deps/*.mar NONOSS
 # Initialize git repository and fetch code
 echo "Initializing git repository..."
 if [ ! -d ".git" ]; then
-    git init .
+  git init .
 fi
 
 # Add remote origin if it doesn't exist
 if ! git remote get-url origin >/dev/null 2>&1; then
     echo "Adding remote origin: https://github.com/$GIT_REPO.git"
-    git remote add origin "https://github.com/$GIT_REPO.git"
+  git remote add origin "https://github.com/$GIT_REPO.git"
 else
     echo "Setting remote origin URL: https://github.com/$GIT_REPO.git"
-    git remote set-url origin "https://github.com/$GIT_REPO.git"
+  git remote set-url origin "https://github.com/$GIT_REPO.git"
 fi
 
 # Fetch the repository
 echo "Fetching repository from https://github.com/$GIT_REPO.git"
-git reset --hard
-git clean -fd
-git fetch origin --depth=1 --progress
+run_git reset --hard
+run_git clean -fd
+run_git fetch origin --depth=1 --progress
 
 if [[ "${PR_ID}" != "" ]]; then
   # Find base branch
-  BASE=$(curl https://api.github.com/repos/$GIT_REPO/pulls/$PR_ID | jq -r '.base.ref')
-  git checkout ${BASE}
+  BASE=$(curl "${curl_auth_args[@]}" https://api.github.com/repos/$GIT_REPO/pulls/$PR_ID | jq -r '.base.ref')
+  run_git checkout ${BASE}
 else
   # For regular branches/tags
   echo "Fetching and checking out: $ACS_BRANCH"
-  if git ls-remote --heads origin "$ACS_BRANCH" | grep -q "$ACS_BRANCH"; then
+  if run_git ls-remote --heads origin "$ACS_BRANCH" | grep -q "$ACS_BRANCH"; then
       # It's a branch
-      if [ "$(git rev-parse --abbrev-ref HEAD)" = "$ACS_BRANCH" ]; then
+    if [ "$(run_git rev-parse --abbrev-ref HEAD)" = "$ACS_BRANCH" ]; then
           echo "Already on branch $ACS_BRANCH, pulling latest changes with rebase..."
-          git pull --rebase origin "$ACS_BRANCH"
+      run_git pull --rebase origin "$ACS_BRANCH"
       else
-          git fetch origin "$ACS_BRANCH:$ACS_BRANCH" --depth=1 --progress
-          git checkout "$ACS_BRANCH"
+      run_git fetch origin "$ACS_BRANCH:$ACS_BRANCH" --depth=1 --progress
+      run_git checkout "$ACS_BRANCH"
       fi
-  elif git ls-remote --tags origin "$ACS_BRANCH" | grep -q "$ACS_BRANCH"; then
+  elif run_git ls-remote --tags origin "$ACS_BRANCH" | grep -q "$ACS_BRANCH"; then
       # It's a tag
-      git fetch origin "refs/tags/$ACS_BRANCH:refs/tags/$ACS_BRANCH" --depth=1 --progress
-      git checkout "refs/tags/$ACS_BRANCH"
+    run_git fetch origin "refs/tags/$ACS_BRANCH:refs/tags/$ACS_BRANCH" --depth=1 --progress
+    run_git checkout "refs/tags/$ACS_BRANCH"
   else
       # Try to fetch as commit SHA
-      git checkout "$ACS_BRANCH"
+    run_git checkout "$ACS_BRANCH"
   fi
 fi
 
@@ -213,6 +230,15 @@ else
   do
     cp $package_folder/$pkg /output
   done
+  for f in /etc/yum.repos.d/CentOS-*.repo; do
+    [ -e "$f" ] || continue
+    sed -i \
+      -e 's|^mirrorlist=|#mirrorlist=|g' \
+      -e 's|^#baseurl=http://mirror.centos.org|baseurl=https://vault.centos.org|g' \
+      "$f"
+  done
+  dnf install createrepo -y || true
+  createrepo /output
 fi
 
 rm -rf $ROOT/*
diff --git a/mbx b/mbx
index fdba014..3028987 100755
--- a/mbx
+++ b/mbx
@@ -103,9 +103,10 @@ package() {
   output_dir="/export/testing/builds"
   pr_id=""
   maven_flags=""
+  github_token="${GITHUB_TOKEN:-}"
 
   # Parse named arguments
-  TEMP=$(getopt -o h --long help,repo:,tag:,pr:,distro:,output-dir:,flags: -n 'mbx package' -- "$@")
+  TEMP=$(getopt -o h --long help,repo:,tag:,pr:,distro:,output-dir:,flags:,github-token: -n 'mbx package' -- "$@")
   if [ $? != 0 ]; then echo "Failed parsing options." >&2; exit 1; fi
   eval set -- "$TEMP"
 
@@ -119,12 +120,14 @@ package() {
         echo "  --distro <distro>      Distribution: el7/el8/el9/debian (default: el8)"
         echo "  --output-dir <dir>     Output directory (default: /export/testing/builds)"
         echo "  --flags <flags>        Comma-separated Maven build flags (e.g., '-DskipTests,-T4')"
+        echo "  --github-token <token> GitHub token for private repos/tags (default: GITHUB_TOKEN env var)"
         echo "  -h, --help             Show this help"
         echo ""
         echo "Examples:"
         echo "  mbx package --tag 4.20"
         echo "  mbx package --tag 1234 --distro debian --flags '-DskipTests'"
         echo "  mbx package --repo shapeblue/cloudstack --tag feature-branch --flags '-DskipTests,-T4'"
+        echo "  mbx package --repo myorg/private-repo --tag 1.2.3 --github-token <token>"
         exit 0
         ;;
       --repo)
@@ -164,6 +167,10 @@ package() {
           shift 1
         fi
         ;;
+      --github-token)
+        github_token="$2"
+        shift 2
+        ;;
       --)
         shift
         break
@@ -204,6 +211,11 @@ package() {
   echo "  Output: $output_dir"
   echo "  PR ID: ${pr_id:-none}"
   echo "  Maven flags: ${maven_flags:-none}"
+  if [[ -n "$github_token" ]]; then
+    echo "  GitHub token: configured"
+  else
+    echo "  GitHub token: not set"
+  fi
 
   # Generate UUID
   if command -v uuid >/dev/null 2>&1; then
@@ -242,6 +254,7 @@ package() {
     -e "PR_ID=$pr_id" \
     -e "ACS_BRANCH=$tag" \
     -e "DISTRO=$distro" \
+    -e "GITHUB_TOKEN=$github_token" \
     -e "FLAGS='$maven_flags'" \
     --name "$container_name" \
     "$image_name" \
@@ -259,7 +272,7 @@ package() {
   # Is it possible to scp local maven cache to container?
 
   issh root@"$builder_ip" \
-    GIT_REPO="$repo" GIT_TAG="$tag" PR_ID="$pr_id" ACS_BRANCH="$tag" DISTRO="$distro" FLAGS="'$maven_flags'" \
+    GIT_REPO="$repo" GIT_TAG="$tag" PR_ID="$pr_id" ACS_BRANCH="$tag" DISTRO="$distro" GITHUB_TOKEN="$github_token" FLAGS="'$maven_flags'" \
     bash -x /jenkins/build.sh
 
   echo "Packages can be found at $output_dir"