fix(ci): use docker login CLI instead of login-action to bypass macOS Keychain

docker/login-action@v3 ignores DOCKER_CONFIG and still tries the macOS system keychain on the self-hosted runner, producing: error storing credentials: User interaction is not allowed. (-25308) Switch to `docker login ... --password-stdin` which respects DOCKER_CONFIG and writes credentials to the per-run config.json we created in the isolate step. Applied to both GHCR and Fly registry logins in both publish workflows. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 08:45:20 -07:00 · 2026-04-16 08:45:20 -07:00 · 6f3c16eb78
commit 6f3c16eb78
parent 071fb0da88
2 changed files with 6 additions and 21 deletions
--- a/.github/workflows/publish-canvas-image.yml
+++ b/.github/workflows/publish-canvas-image.yml
@ -71,11 +71,8 @@ jobs:
        uses: docker/setup-buildx-action@v3

      - name: Log in to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin

      - name: Compute tags
        id: tags
--- a/.github/workflows/publish-platform-image.yml
+++ b/.github/workflows/publish-platform-image.yml
@ -88,24 +88,12 @@ jobs:
        uses: docker/setup-buildx-action@v3

      - name: Log in to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin

      - name: Log in to Fly registry
-        # username MUST be literal "x". Fly's registry returns 401 for any
-        # other value (verified locally 2026-04-15 — "molecule-ai" fails,
-        # "x" succeeds with the same token). The password is the FLY_API_TOKEN.
-        # Rotation: see docs/runbooks/saas-secrets.md — FLY_API_TOKEN lives in
-        # two places (GitHub Actions secret here + `fly secrets` on molecule-cp)
-        # and MUST be updated in both on rotation.
-        uses: docker/login-action@v3
-        with:
-          registry: registry.fly.io
-          username: x
-          password: ${{ secrets.FLY_API_TOKEN }}
+        shell: bash
+        run: echo "${{ secrets.FLY_API_TOKEN }}" | docker login registry.fly.io -u x --password-stdin

      - name: Compute tags
        id: tags