From c7488aeb7fc8f60987876c3c51dcfa2aa80e4de4 Mon Sep 17 00:00:00 2001
From: ruv <ruv@ruv.net>
Date: Mon, 25 May 2026 15:42:40 -0400
Subject: [PATCH] fix(ci): use docker login --password-stdin (bypass
 login-action@v3)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

docker/login-action@v3 kept emitting "malformed HTTP Authorization
header" against a fresh, known-good dckr_pat_* token (verified by
direct curl against hub.docker.com/v2/users/login). Replacing with
`docker login --password-stdin` — Docker's documented credential
ingestion path — sidesteps whatever encoding the action injects.

Refs #794.

Co-Authored-By: claude-flow <ruv@ruv.net>
---
 .github/workflows/sensing-server-docker.yml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sensing-server-docker.yml b/.github/workflows/sensing-server-docker.yml
index 0a1215c1..02b0c766 100644
--- a/.github/workflows/sensing-server-docker.yml
+++ b/.github/workflows/sensing-server-docker.yml
@@ -61,11 +61,16 @@ jobs:
       - uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          registry: docker.io
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+        # Bypassing docker/login-action@v3: the action kept emitting
+        # "malformed HTTP Authorization header" against a known-good
+        # dckr_pat_* token (verified by direct curl against the Hub API).
+        # `docker login --password-stdin` is the documented credential
+        # path and avoids whatever encoding step the action injects.
+        env:
+          DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
+          DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          printf '%s' "$DH_TOKEN" | docker login docker.io -u "$DH_USER" --password-stdin
 
       - name: Log in to ghcr.io
         uses: docker/login-action@v3