Fix Docker login: use GITHUB_TOKEN instead of expired PAT

anth-volk · claude · anth-volk · commit 55a193ab101c · 2026-03-20T00:15:32.000+01:00
Replace the old docker/login-action (pinned to ancient SHA) using
POLICYENGINE_DOCKER PAT with docker/login-action@v3 using the
automatic GITHUB_TOKEN. Add packages:write permission to both
PR and push Docker jobs.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -35,15 +35,18 @@ jobs:
   test_container_builds:
     name: Docker
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
       - name: Log in to the Container registry
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.POLICYENGINE_DOCKER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build container
         run: docker build -t ghcr.io/policyengine/policyengine docker
   test_env_vars:
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -111,15 +111,18 @@ jobs:
     name: Docker
     runs-on: ubuntu-latest
     needs: ensure-model-version-aligns-with-sim-api
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
       - name: Log in to the Container registry
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.POLICYENGINE_DOCKER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build container
         run: docker build -t ghcr.io/policyengine/policyengine docker
       - name: Push container
diff --git a/changelog.d/add-country-package-update-cron.changed.md b/changelog.d/add-country-package-update-cron.changed.md
@@ -1 +1 @@
-Replace push-based country package bump with cron-based workflow that polls PyPI every 30 minutes.
+Replace push-based country package bump with cron-based workflow that polls PyPI every 30 minutes. Fix Docker login to use GITHUB_TOKEN instead of expired PAT.

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-Replace push-based country package bump with cron-based workflow that polls PyPI every 30 minutes.`
	`1`	`+Replace push-based country package bump with cron-based workflow that polls PyPI every 30 minutes. Fix Docker login to use GITHUB_TOKEN instead of expired PAT.`