From 6f785f0b5a058f49012becf107bcc798c648759b Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Tue, 14 Apr 2026 17:21:53 -0700
Subject: [PATCH] =?UTF-8?q?fix(ci):=20revert=20Fly=20registry=20username?=
 =?UTF-8?q?=20to=20'x'=20=E2=80=94=20'molecule-ai'=20gets=20401?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Post-mortem on the failed publish-platform-image run on main (PR #82):

Fly's Docker registry requires username EXACTLY equal to "x". My
code-review "readability fix" changing it to "molecule-ai" caused
every push to return 401 Unauthorized. Verified locally:

  echo $FLY_API_TOKEN | docker login registry.fly.io -u x --password-stdin
  → Login Succeeded

  echo $FLY_API_TOKEN | docker login registry.fly.io -u molecule-ai --password-stdin
  → 401 Unauthorized

Lesson: don't second-guess docs that specify a literal value. Comment
now says "MUST be literal 'x'" with a 2026-04-15 verification note to
prevent future regressions.

Code-review process improvement: when reviewing a change against a
vendor API, prefer "preserve exact doc-specified values" over readability
suggestions. Logged as a cron-learning.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-platform-image.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-platform-image.yml b/.github/workflows/publish-platform-image.yml
index 0c217f3a..03479723 100644
--- a/.github/workflows/publish-platform-image.yml
+++ b/.github/workflows/publish-platform-image.yml
@@ -50,16 +50,16 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Log in to Fly registry
-        # Fly's registry is entirely token-auth: username is ignored, password
-        # must be a valid FLY_API_TOKEN. We pass "molecule-ai" as a human-
-        # readable placeholder so this step is obvious to future readers.
+        # username MUST be literal "x". Fly's registry returns 401 for any
+        # other value (verified locally 2026-04-15 — "molecule-ai" fails,
+        # "x" succeeds with the same token). The password is the FLY_API_TOKEN.
         # Rotation: see docs/runbooks/saas-secrets.md — FLY_API_TOKEN lives in
         # two places (GitHub Actions secret here + `fly secrets` on molecule-cp)
         # and MUST be updated in both on rotation.
         uses: docker/login-action@v3
         with:
           registry: registry.fly.io
-          username: molecule-ai
+          username: x
           password: ${{ secrets.FLY_API_TOKEN }}
 
       - name: Compute tags