fix: public permissions (#4670)

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

.github/workflows/ci.yml

@@ -167,7 +167,7 @@ jobs:
       build-args: ${{ matrix.build-args }}
       build-arch: ${{ matrix.build-arch }}
       ref: ${{ github.ref }}
+      username: ${{ github.actor }}
     secrets:
-      GHCR_USERNAME: ${{ github.actor }}
       GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/publish.yml

@@ -28,9 +28,10 @@ on:
       build-platform:
         required: true
         type: string
-    secrets:
-      GHCR_USERNAME:
+      username:
         required: true
+        type: string
+    secrets:
       GHCR_TOKEN:
         required: true
 
@@ -48,6 +49,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     outputs:
       image-tag: ${{ steps.container_info.outputs.image-tag }}
     steps:
@@ -87,8 +89,8 @@ jobs:
         if: env.IS_FORK == 'false'
         with:
           registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ inputs.username }}
+          password: ${{ secrets.GHCR_TOKEN }}
 
       - name: Get docker image tag
         id: container_info
@@ -154,6 +156,6 @@ jobs:
         with:
           image-name: ${{ inputs.image-name }}
           image-tag: ${{ needs.build-publish.outputs.image-tag }}
-          GHCR_USERNAME: ${{ github.actor }}
-          GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GHCR_USERNAME: ${{ inputs.username }}
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}

.github/workflows/rebuild-image.yml

@@ -65,7 +65,6 @@ jobs:
       build-arch: ${{ matrix.build-arch }}
       ref: ${{ github.event.inputs.ref }}
       image-tag: ${{ github.event.inputs.ref }}
+      username: ${{ github.actor }}
     secrets:
-      GHCR_USERNAME: ${{ github.actor }}
       GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-