diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index b7bb3c6..807ffba 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -12,7 +12,7 @@ jobs:
       packages: write
     steps:
     - name: Checkout
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
     - name: Setup Spack
       uses: spack/setup-spack@5ab3c91bdefffffad9a7e45d1d156146afebb3a7
@@ -29,7 +29,10 @@ jobs:
         make -Orecurse -j $(($(nproc) + 1)) SPACK_INSTALL_FLAGS=--no-check-signature
 
     - name: Push packages and update index
+      env:
+        GITHUB_USER: ${{ github.actor }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        spack mirror set --push --oci-username ${{ github.actor }} --oci-password "${{ secrets.GITHUB_TOKEN }}" github-actions-buildcache
+        spack mirror set --push --oci-username-variable GITHUB_USER --oci-password-variable GITHUB_TOKEN github-actions-buildcache
         spack -e . buildcache push -j $(($(nproc) + 1)) --base-image ubuntu:20.04 --update-index github-actions-buildcache
       if: ${{ !cancelled() }}
diff --git a/.github/workflows/update-index.yaml b/.github/workflows/update-index.yaml
index 5db7fb5..cf91aaf 100644
--- a/.github/workflows/update-index.yaml
+++ b/.github/workflows/update-index.yaml
@@ -12,7 +12,7 @@ jobs:
       packages: write
     steps:
     - name: Checkout
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
     - name: Setup Spack
       uses: spack/setup-spack@5ab3c91bdefffffad9a7e45d1d156146afebb3a7
diff --git a/README.md b/README.md
index ba82390..4680d7c 100644
--- a/README.md
+++ b/README.md
@@ -55,7 +55,7 @@ jobs:
       run: spack -e . install --no-check-signature
 
     - name: Run
-        run: ./my_view/bin/python -c 'print("hello world")'
+        run: ./my_view/bin/python3 -c 'print("hello world")'
 ```
 
 ## Caching your own binaries
@@ -71,7 +71,13 @@ If you want to cache your own binaries too, there are three steps to take:
          root: /opt/spack
          padded_length: 128
      mirrors:
-       local-buildcache: oci://ghcr.io/<username>/spack-buildcache
+       local-buildcache:
+         url: oci://ghcr.io/<username>/spack-buildcache
+         signed: false
+         access_pair:
+           id_variable: GITHUB_USER
+           secret_variable: GITHUB_TOKEN
+
    ```
 
 2. Configure the permissions for `GITHUB_TOKEN`:
@@ -92,9 +98,10 @@ If you want to cache your own binaries too, there are three steps to take:
      example:
        steps:
        - name: Push packages and update index
-         run: |
-           spack -e . mirror set --push --oci-username ${{ github.actor }} --oci-password "${{ secrets.GITHUB_TOKEN }}" local-buildcache
-           spack -e . buildcache push --base-image ubuntu:22.04 --unsigned --update-index local-buildcache
+         env:
+           GITHUB_USER: ${{ github.actor }}
+           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         run: spack -e . buildcache push --base-image ubuntu:22.04 --update-index local-buildcache
          if: ${{ !cancelled() }}
    ```
    NOTE: Make sure to add `if: ${{ !cancelled() }}`, so that binaries for successfully
@@ -104,17 +111,16 @@ If you want to cache your own binaries too, there are three steps to take:
 
 When your local buildcache is stored in a private GitHub package,
 you need to specify the OCI credentials already *before* `spack concretize`.
-This is because Spack needs to fetch the buildcache index. Also, remember to
-remove the `--push` flag from `spack mirror set`, since fetching needs
-credentials too:
+This is because Spack needs to fetch the buildcache index.
 
 ```yaml
+env:
+  GITHUB_USER: ${{ github.actor }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 jobs:
   example-private:
     steps:
-    - name: Login
-      run: spack -e . mirror set --oci-username ${{ github.actor }} --oci-password "${{ secrets.GITHUB_TOKEN }}" local-buildcache
-
     - name: Concretize
       run: spack -e . concretize
 
@@ -122,12 +128,11 @@ jobs:
       run: spack -e . install --no-check-signature
 
     - name: Push packages and update index
-      run: spack -e . buildcache push --base-image ubuntu:22.04 --unsigned --update-index local-buildcache
+      run: spack -e . buildcache push --base-image ubuntu:22.04 --update-index local-buildcache
 ```
 
-From a security perspective, notice that the `GITHUB_TOKEN` is exposed to every
-subsequent job step. (This is no different from `docker login`, which also likes
-to store credentials in the home directory.)
+From a security perspective, do note that the `GITHUB_TOKEN` is exposed to every
+job step.
 
 ## Contributing