From 955eae5d657bc155e9c4e0c35f2d2caea3a99193 Mon Sep 17 00:00:00 2001
From: ezl-keygraph <ezhil@keygraph.io>
Date: Tue, 17 Mar 2026 03:47:05 +0530
Subject: [PATCH] fix: remove duplicate environment gate from merge-docker job

Move DOCKERHUB_USERNAME from vars to secrets so merge-docker can access
credentials without its own environment scope. This eliminates the
redundant double approval since build-docker already gates on
release-publish.
---
 .github/workflows/release.yml  | 5 ++---
 .github/workflows/rollback.yml | 8 ++++----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6ae4a87..34f06ed 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -83,7 +83,7 @@ jobs:
       - name: Log in to Docker Hub
         uses: docker/login-action@v4
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push by digest
@@ -114,7 +114,6 @@ jobs:
     name: Push Docker manifests
     needs: [preflight, build-docker]
     runs-on: ubuntu-latest
-    environment: release-publish
     permissions:
       contents: read
       id-token: write
@@ -135,7 +134,7 @@ jobs:
       - name: Log in to Docker Hub
         uses: docker/login-action@v4
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Create manifest list and push
diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml
index 132bdf8..a71b788 100644
--- a/.github/workflows/rollback.yml
+++ b/.github/workflows/rollback.yml
@@ -69,7 +69,7 @@ jobs:
 
       - name: Show current npm dist-tags
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_ROLLBACK_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm dist-tag ls @keygraph/shannon
 
       - name: Set up Docker Buildx
@@ -78,7 +78,7 @@ jobs:
       - name: Log in to Docker Hub
         uses: docker/login-action@v4
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Verify Docker image tag exists
@@ -102,7 +102,7 @@ jobs:
 
       - name: Move npm latest
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_ROLLBACK_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm dist-tag add "@keygraph/shannon@${{ steps.target.outputs.version }}" latest
 
       - name: Mark GitHub release as latest
@@ -112,7 +112,7 @@ jobs:
 
       - name: Show final npm dist-tags
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_ROLLBACK_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm dist-tag ls @keygraph/shannon
 
       - name: Verify Docker latest now points to target