Improved Secret handling and other GitHub Actions-related improvements

[desrosj]

This makes a few changes to how secrets are handled within GitHub Actions workflows:

• The related secrets have been moved into two different environments: production for pushing to Docker Hub and staging for pushing to GHCR.
• Since the REGISTRY_USERNAME value is known (it is shown publicly on the respective registry), this is now an environment variable.
• REGISTRY_PASSWORD has been configured as an environment secret.

Also, there is currently a warning is displayed in the GitHub Actions logs:

WARNING! Your credentials are stored unencrypted in '/home/runner/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/

While the docker/login-action action does not implement a true credential store, it does log out immediately after the job completes (which removes any auth-related entries from the config.json file), and silences the warning by using silent: true. The action also supports configuring This PR switches to utilizing this action instead of manually adding a log out step.

And finally this removes the PACKAGE_REGISTRY_HOST environment variable (which was unused), and removes the PACKAGE_REGISTRY build argument from the PHP image build commands (this did nothing since the base images are not pulled from WordPress-related sources).

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: desrosj <desrosj@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[Copilot]

Pull request overview

This PR updates the repository’s GitHub Actions workflows (and their template) to improve credential handling for Docker registry logins by moving secrets into environment-scoped secrets/variables, switching to docker/login-action, and removing unused/ineffective workflow inputs.

Changes:

• Introduces staging/production GitHub Environments for registry publishing jobs and moves credentials accordingly.
• Replaces manual docker login with docker/login-action (pinned) and removes the unused PACKAGE_REGISTRY_HOST.
• Removes PACKAGE_REGISTRY build arg from PHP image builds (keeps it where required for CLI images).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File	Description
templates/workflow.yml-template	Updates the workflow template to use environments + docker/login-action and adjusts registry credential wiring.
.github/workflows/github-container-registry.yml	Regenerated GHCR workflow using staging environment and docker/login-action.
.github/workflows/docker-hub.yml	Regenerated Docker Hub workflow using production environment and docker/login-action.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

templates/workflow.yml-template:152

• The CLI image build still passes --build-arg PACKAGE_REGISTRY="$PACKAGE_REGISTRY", but the repository doesn't appear to use ARG PACKAGE_REGISTRY in any Dockerfile, so this argument is redundant. Removing it would simplify the workflow and match the PHP image build step.

      - name: Build Docker image
        run: |
          docker build \
            --build-arg PACKAGE_REGISTRY="$PACKAGE_REGISTRY" \
            --build-arg PR_TAG="$PR_TAG" \