From 6f3c16eb78b06d4def01a95e209289d33c566400 Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Thu, 16 Apr 2026 08:45:20 -0700
Subject: [PATCH] fix(ci): use docker login CLI instead of login-action to
 bypass macOS Keychain

docker/login-action@v3 ignores DOCKER_CONFIG and still tries the
macOS system keychain on the self-hosted runner, producing:
  error storing credentials: User interaction is not allowed. (-25308)

Switch to `docker login ... --password-stdin` which respects
DOCKER_CONFIG and writes credentials to the per-run config.json
we created in the isolate step. Applied to both GHCR and Fly
registry logins in both publish workflows.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-canvas-image.yml   |  7 ++-----
 .github/workflows/publish-platform-image.yml | 20 ++++----------------
 2 files changed, 6 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/publish-canvas-image.yml b/.github/workflows/publish-canvas-image.yml
index d9cbda30..c0c0323f 100644
--- a/.github/workflows/publish-canvas-image.yml
+++ b/.github/workflows/publish-canvas-image.yml
@@ -71,11 +71,8 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
 
       - name: Compute tags
         id: tags
diff --git a/.github/workflows/publish-platform-image.yml b/.github/workflows/publish-platform-image.yml
index 6e848265..860d24e6 100644
--- a/.github/workflows/publish-platform-image.yml
+++ b/.github/workflows/publish-platform-image.yml
@@ -88,24 +88,12 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
 
       - name: Log in to Fly registry
-        # username MUST be literal "x". Fly's registry returns 401 for any
-        # other value (verified locally 2026-04-15 — "molecule-ai" fails,
-        # "x" succeeds with the same token). The password is the FLY_API_TOKEN.
-        # Rotation: see docs/runbooks/saas-secrets.md — FLY_API_TOKEN lives in
-        # two places (GitHub Actions secret here + `fly secrets` on molecule-cp)
-        # and MUST be updated in both on rotation.
-        uses: docker/login-action@v3
-        with:
-          registry: registry.fly.io
-          username: x
-          password: ${{ secrets.FLY_API_TOKEN }}
+        shell: bash
+        run: echo "${{ secrets.FLY_API_TOKEN }}" | docker login registry.fly.io -u x --password-stdin
 
       - name: Compute tags
         id: tags