From a46c156fba5e5d88e0bdf3c3df220ee19489207a Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Mon, 30 Mar 2026 17:52:10 +0000
Subject: [PATCH 1/5] Replace docker/login-action with inline docker login

Drop dependency on docker/login-action by replacing it with a simple
docker login command. Just reduces our supply chain exposure a bit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/boulder-ci.yml | 16 ++++------------
 .github/workflows/release.yml    |  8 +++-----
 2 files changed, 7 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
index 79c520d2500..739c3fe053b 100644
--- a/.github/workflows/boulder-ci.yml
+++ b/.github/workflows/boulder-ci.yml
@@ -75,18 +75,10 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Docker Login
-        # You may pin to the exact commit or the version.
-        # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
-        uses: docker/login-action@v3.6.0
-        with:
-          # Username used to log against the Docker registry
-          username: ${{ secrets.DOCKER_USERNAME}}
-          # Password or personal access token used to log against the Docker registry
-          password: ${{ secrets.DOCKER_PASSWORD}}
-          # Log out from the Docker registry at the end of a job
-          logout: true
-        continue-on-error: true
+      - name: Login to GitHub Container Registry
+        run: printenv GITHUB_TOKEN | docker login -u "$GITHUB_ACTOR" --password-stdin ghcr.io
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       # Print the env variable being used to pull the docker image. For
       # informational use.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 63ad94ecee4..19ea78a70c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -71,11 +71,9 @@ jobs:
         run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f test/ct-test-srv/Dockerfile -t "ghcr.io/letsencrypt/ct-test-srv:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        run: printenv GITHUB_TOKEN | docker login -u "$GITHUB_ACTOR" --password-stdin ghcr.io
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push Boulder container
         run: docker push "ghcr.io/letsencrypt/boulder:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"

From 25ddd07ce5533ab89d1cc52b7c219459e0d26067 Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Mon, 6 Apr 2026 15:50:47 +0000
Subject: [PATCH 2/5] Should still log in to docker

---
 .github/workflows/boulder-ci.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
index 739c3fe053b..db86d4565ab 100644
--- a/.github/workflows/boulder-ci.yml
+++ b/.github/workflows/boulder-ci.yml
@@ -75,10 +75,11 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Login to GitHub Container Registry
-        run: printenv GITHUB_TOKEN | docker login -u "$GITHUB_ACTOR" --password-stdin ghcr.io
+      - name: Docker Login
+        run: printenv $DOCKER_PASSWORD | docker login -u "$DOCKER_USERNAME" --password-stdin
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME}}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD}}
 
       # Print the env variable being used to pull the docker image. For
       # informational use.

From 61a57ae14de030f4b2203e4560d4d6b415757620 Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Mon, 6 Apr 2026 15:53:17 +0000
Subject: [PATCH 3/5] Should still specify docker.io

---
 .github/workflows/boulder-ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
index db86d4565ab..caf3a450c8b 100644
--- a/.github/workflows/boulder-ci.yml
+++ b/.github/workflows/boulder-ci.yml
@@ -76,10 +76,10 @@ jobs:
           persist-credentials: false
 
       - name: Docker Login
-        run: printenv $DOCKER_PASSWORD | docker login -u "$DOCKER_USERNAME" --password-stdin
+        run: printenv $DOCKER_PASSWORD | docker login -u "$DOCKER_USERNAME" --password-stdin docker.io
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME}}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD}}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
 
       # Print the env variable being used to pull the docker image. For
       # informational use.

From a8ad3a4c6754e246bbec114a8764482202d6ea97 Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Mon, 6 Apr 2026 15:56:20 +0000
Subject: [PATCH 4/5] Typo

---
 .github/workflows/boulder-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
index caf3a450c8b..311287c7de9 100644
--- a/.github/workflows/boulder-ci.yml
+++ b/.github/workflows/boulder-ci.yml
@@ -76,7 +76,7 @@ jobs:
           persist-credentials: false
 
       - name: Docker Login
-        run: printenv $DOCKER_PASSWORD | docker login -u "$DOCKER_USERNAME" --password-stdin docker.io
+        run: printenv DOCKER_PASSWORD | docker login -u "$DOCKER_USERNAME" --password-stdin docker.io
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}

From 250a979ef1935cd7d00211fa2fe608c725bf8330 Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Tue, 14 Apr 2026 20:13:40 +0000
Subject: [PATCH 5/5] Bring back continue-on-error

---
 .github/workflows/boulder-ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
index 311287c7de9..80185a07cac 100644
--- a/.github/workflows/boulder-ci.yml
+++ b/.github/workflows/boulder-ci.yml
@@ -75,11 +75,14 @@ jobs:
         with:
           persist-credentials: false
 
+      # Log into dockerhub to avoid rate limits.
       - name: Docker Login
         run: printenv DOCKER_PASSWORD | docker login -u "$DOCKER_USERNAME" --password-stdin docker.io
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        # This task is best-effort, if it fails, e.g. due to running from a fork, it's no big deal.
+        continue-on-error: true
 
       # Print the env variable being used to pull the docker image. For
       # informational use.