diff --git a/.github/workflows/publish-canvas-image.yml b/.github/workflows/publish-canvas-image.yml index d9cbda30..c0c0323f 100644 --- a/.github/workflows/publish-canvas-image.yml +++ b/.github/workflows/publish-canvas-image.yml @@ -71,11 +71,8 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Log in to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + shell: bash + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin - name: Compute tags id: tags diff --git a/.github/workflows/publish-platform-image.yml b/.github/workflows/publish-platform-image.yml index 6e848265..860d24e6 100644 --- a/.github/workflows/publish-platform-image.yml +++ b/.github/workflows/publish-platform-image.yml @@ -88,24 +88,12 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Log in to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + shell: bash + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin - name: Log in to Fly registry - # username MUST be literal "x". Fly's registry returns 401 for any - # other value (verified locally 2026-04-15 — "molecule-ai" fails, - # "x" succeeds with the same token). The password is the FLY_API_TOKEN. - # Rotation: see docs/runbooks/saas-secrets.md — FLY_API_TOKEN lives in - # two places (GitHub Actions secret here + `fly secrets` on molecule-cp) - # and MUST be updated in both on rotation. - uses: docker/login-action@v3 - with: - registry: registry.fly.io - username: x - password: ${{ secrets.FLY_API_TOKEN }} + shell: bash + run: echo "${{ secrets.FLY_API_TOKEN }}" | docker login registry.fly.io -u x --password-stdin - name: Compute tags id: tags