unauthorized: incorrect username or password

Clear the bad credential first:docker logout <registry>

Log in again with the correct username and a current password or access token.

If you use a credential helper or OS keychain, remove the stale entry there as well before retrying.

If this fails in CI only, rotate the secret and verify the job is using the updated value.

The username, password, or access token is wrong.

A credential helper returned stale credentials after the token was rotated.

CI is using the wrong secret or the wrong account for the target registry.

Retry the same pull or push and confirm the incorrect-password error is gone.

Perform a fresh docker login <registry> and confirm it succeeds without reusing cached credentials.

Check whether Docker is pulling credentials from a keychain helper instead of plain auths in ~/.docker/config.json.

Verify the registry username matches the account that owns or can access the repository.

If the secret was rotated recently, confirm the old value is not still cached in CI.

Docker attaches stored credentials for the target registry host when it authenticates.

If those credentials are stale or wrong, the registry rejects the login or repository request immediately.

Prefer scoped tokens over long-lived passwords for automation.

Rotate registry tokens on a schedule and update all consuming jobs together.

Avoid sharing one mutable credential across unrelated environments.