From 9091a520c886b58b9d7544251cabf5c0cbbfda09 Mon Sep 17 00:00:00 2001
From: Luke Young <bored-engineer@users.noreply.github.com>
Date: Mon, 2 Feb 2026 16:22:18 -0800
Subject: [PATCH] fix(dockerhub): use username for OAT validation

Signed-off-by: Luke Young <bored-engineer@users.noreply.github.com>
---
 .../kingfisher-rules/data/rules/dockerhub.yml  | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/crates/kingfisher-rules/data/rules/dockerhub.yml b/crates/kingfisher-rules/data/rules/dockerhub.yml
index c99a29a..53d9a1f 100644
--- a/crates/kingfisher-rules/data/rules/dockerhub.yml
+++ b/crates/kingfisher-rules/data/rules/dockerhub.yml
@@ -81,17 +81,23 @@ rules:
       - docker login -u docker-test -p dckr_oat_7bA9zRt5-JqX3vP0l_MnY8sK2wE-dF6h
     references:
       - https://docs.docker.com/enterprise/security/access-tokens/
+    depends_on_rule:
+      - rule_id: kingfisher.dockerhub.2
+        variable: DOCKER_USERNAME
     validation:
       type: Http
       content:
         request:
+          method: POST
+          url: https://hub.docker.com/v2/auth/token
           headers:
-            Authorization: Bearer {{ TOKEN }}
+            Content-Type: application/json
             Accept: application/json
-          method: GET
+          body: '{"identifier":"{{ DOCKER_USERNAME | json_escape }}","secret":"{{ TOKEN | json_escape }}"}'
           response_matcher:
             - report_response: true
-            - status:
-                - 200
-              type: StatusMatch
-          url: https://hub.docker.com/v2/access-tokens?page_size=1
+            - type: StatusMatch
+              status: [200]
+            - type: WordMatch
+              words:
+                - '"access_token"'