diff --git a/.github/workflows/publish_docker.yml b/.github/workflows/publish_docker.yml
index 354194ff..67c32e2e 100644
--- a/.github/workflows/publish_docker.yml
+++ b/.github/workflows/publish_docker.yml
@@ -12,14 +12,21 @@ jobs:
   publish-canary-docker:
     name: publish to DockerHub
     runs-on: ubuntu-22.04
+    permissions:
+      id-token: write   # This is required for OIDC login (azure/login) to succeed
+      contents: read    # This is required for actions/checkout to succeed
+    environment: Docker
     if: github.repository == 'microsoft/playwright-java'
     steps:
     - uses: actions/checkout@v4
-    - uses: azure/docker-login@v1
+    - name: Azure login
+      uses: azure/login@v2
       with:
-        login-server: playwright.azurecr.io
-        username: playwright
-        password: ${{ secrets.DOCKER_PASSWORD }}
+        client-id: ${{ secrets.AZURE_DOCKER_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_DOCKER_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_DOCKER_SUBSCRIPTION_ID }}
+    - name: Login to ACR via OIDC
+      run: az acr login --name playwright
     - name: Set up Docker QEMU for arm64 docker builds
       uses: docker/setup-qemu-action@v3
       with: