docker login: Authenticate to a Registry in CI
Authenticate to a registry so pulls and pushes are not rate-limited or denied.
docker login stores credentials for a registry so subsequent pull and push commands authenticate. This page covers non-interactive login via stdin, the standard CI pattern.
What it does
docker login authenticates to a registry (Docker Hub by default, or a named one) and caches the credentials. In CI you pass the secret via --password-stdin to keep it out of process listings and logs.
Common usage
echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GITHUB_ACTOR" --password-stdin
echo "$DOCKERHUB_TOKEN" | docker login -u myuser --password-stdin
aws ecr get-login-password --region us-east-1 \
| docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.comCommon errors in CI
"unauthorized: incorrect username or password" or "denied" usually means a wrong/expired token or missing scope - for GHCR the token needs packages:write to push. "Error saving credentials: ... credential helper" appears when a configured credsStore (e.g. desktop) is unavailable on the runner; remove credsStore from ~/.docker/config.json in CI. Never pass -p with a literal secret; use --password-stdin.