DevKor-github · jjoonleo · May 8, 2026
diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -138,7 +138,7 @@ jobs:
             FIREBASE_CREDENTIALS_BASE64=${{ secrets.DEV_FIREBASE_CREDENTIALS_BASE64 }}
             EOF
 
-            echo "${{ secrets.GHCR_READ_TOKEN }}" | sudo docker login ghcr.io -u "${{ secrets.GHCR_USERNAME }}" --password-stdin
+            echo "${{ secrets.GITHUB_TOKEN }}" | sudo docker login ghcr.io -u "${{ github.actor }}" --password-stdin
 
             if sudo docker compose version >/dev/null 2>&1; then
               COMPOSE="sudo docker compose"

diff --git a/docs/deployment.md b/docs/deployment.md
@@ -120,8 +120,8 @@ Required development secrets:
 - `DEV_REMOTE_HOST`
 - `DEV_REMOTE_USER`
 - `DEV_REMOTE_SSH_KEY`
-- `GHCR_USERNAME`
-- `GHCR_READ_TOKEN`
+
+The development workflow uses the run-scoped `GITHUB_TOKEN` to pull the image from GHCR on the remote PC, so no long-lived GHCR read token is required for development deploys.
 
 Optional development secrets:
 

diff --git a/docs/git-workflow.md b/docs/git-workflow.md
@@ -132,11 +132,9 @@ Development deploy should use development secrets only:
 DEV_REMOTE_HOST
 DEV_REMOTE_USER
 DEV_REMOTE_SSH_KEY
-GHCR_USERNAME
-GHCR_READ_TOKEN
 ```
 
-Optional `DEV_*` secrets can override the default dev deploy directory, HTTP port, MySQL credentials, and non-production OAuth/Firebase settings.
+The development deploy uses the workflow `GITHUB_TOKEN` for GHCR image pulls. Optional `DEV_*` secrets can override the default dev deploy directory, HTTP port, MySQL credentials, and non-production OAuth/Firebase settings.
 
 ## Branch Protection