From 6c2ec08c58e81c887604ed6f6efb1ce5d93e56fa Mon Sep 17 00:00:00 2001
From: jjoonleo <jjoonleo@gmail.com>
Date: Sat, 9 May 2026 04:27:40 +0900
Subject: [PATCH] Use workflow token for dev GHCR pull

---
 .github/workflows/deploy-dev.yml | 2 +-
 docs/deployment.md               | 4 ++--
 docs/git-workflow.md             | 4 +---
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
index 836aaab..1ba81ea 100644
--- a/.github/workflows/deploy-dev.yml
+++ b/.github/workflows/deploy-dev.yml
@@ -138,7 +138,7 @@ jobs:
             FIREBASE_CREDENTIALS_BASE64=${{ secrets.DEV_FIREBASE_CREDENTIALS_BASE64 }}
             EOF
 
-            echo "${{ secrets.GHCR_READ_TOKEN }}" | sudo docker login ghcr.io -u "${{ secrets.GHCR_USERNAME }}" --password-stdin
+            echo "${{ secrets.GITHUB_TOKEN }}" | sudo docker login ghcr.io -u "${{ github.actor }}" --password-stdin
 
             if sudo docker compose version >/dev/null 2>&1; then
               COMPOSE="sudo docker compose"
diff --git a/docs/deployment.md b/docs/deployment.md
index 396ed38..5788461 100644
--- a/docs/deployment.md
+++ b/docs/deployment.md
@@ -120,8 +120,8 @@ Required development secrets:
 - `DEV_REMOTE_HOST`
 - `DEV_REMOTE_USER`
 - `DEV_REMOTE_SSH_KEY`
-- `GHCR_USERNAME`
-- `GHCR_READ_TOKEN`
+
+The development workflow uses the run-scoped `GITHUB_TOKEN` to pull the image from GHCR on the remote PC, so no long-lived GHCR read token is required for development deploys.
 
 Optional development secrets:
 
diff --git a/docs/git-workflow.md b/docs/git-workflow.md
index fc7d6f6..3814bfd 100644
--- a/docs/git-workflow.md
+++ b/docs/git-workflow.md
@@ -132,11 +132,9 @@ Development deploy should use development secrets only:
 DEV_REMOTE_HOST
 DEV_REMOTE_USER
 DEV_REMOTE_SSH_KEY
-GHCR_USERNAME
-GHCR_READ_TOKEN
 ```
 
-Optional `DEV_*` secrets can override the default dev deploy directory, HTTP port, MySQL credentials, and non-production OAuth/Firebase settings.
+The development deploy uses the workflow `GITHUB_TOKEN` for GHCR image pulls. Optional `DEV_*` secrets can override the default dev deploy directory, HTTP port, MySQL credentials, and non-production OAuth/Firebase settings.
 
 ## Branch Protection