diff --git a/.github/workflows/pathogen-repo-ci.yaml b/.github/workflows/pathogen-repo-ci.yaml
index c588d81..81795c6 100644
--- a/.github/workflows/pathogen-repo-ci.yaml
+++ b/.github/workflows/pathogen-repo-ci.yaml
@@ -44,10 +44,47 @@ on:
         default: ""
         required: false
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      # Log in, if possible, to docker.io (Docker Hub), since authenticated
+      # requests get higher rate limits (e.g. for image pulls).  Our org-level
+      # secret DOCKER_TOKEN_PUBLIC_READ_ONLY is available to all our public
+      # repos on GitHub but only available here to this reusable workflow when
+      # called with "secrets: inherit".  On Docker Hub, the token is granted
+      # "public read-only" access.
+      - id: DOCKER_TOKEN_PUBLIC_READ_ONLY
+        name: Check if DOCKER_TOKEN_PUBLIC_READ_ONLY secret is available
+        env:
+          DOCKER_TOKEN_PUBLIC_READ_ONLY: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
+        run: |
+          tee -a "$GITHUB_OUTPUT" <<<available=${DOCKER_TOKEN_PUBLIC_READ_ONLY:+yes}
+
+      - if: steps.DOCKER_TOKEN_PUBLIC_READ_ONLY.outputs.available == 'yes'
+        name: Log in to docker.io
+        uses: docker/login-action@v2
+        with:
+          registry: docker.io
+          username: nextstrainbot
+          password: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
+        continue-on-error: true
+
+      # Log in, if possible, to ghcr.io which we use for staging images in
+      # nextstrain/docker-base.  The automatic GITHUB_TOKEN is restricted to
+      # read-only access by the "permissions:" block above.
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true
+
       # Transforms the inputs.env *string* containing YAML like this:
       #
       #   FOO: bar