From 65af7ebc56c7bb956401df00fac3198c9d8f9ed0 Mon Sep 17 00:00:00 2001
From: Tirso Garcia <tgarciaib@gmail.com>
Date: Wed, 18 Mar 2026 01:46:23 +0100
Subject: [PATCH] Add GHCR publish credential fallback

---
 .github/workflows/publish-distribution.yml | 25 +++++++++++++++-------
 docs/operations/container-image.md         | 10 +++++++++
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish-distribution.yml b/.github/workflows/publish-distribution.yml
index 9a2561d..733fa61 100644
--- a/.github/workflows/publish-distribution.yml
+++ b/.github/workflows/publish-distribution.yml
@@ -30,11 +30,16 @@ jobs:
         uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        env:
+          GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          GITHUB_TOKEN_VALUE: ${{ github.token }}
+        run: |
+          username="${GHCR_USERNAME:-${GITHUB_ACTOR}}"
+          token="${GHCR_TOKEN:-${GITHUB_TOKEN_VALUE}}"
+          echo "::add-mask::${token}"
+          echo "${token}" | docker login ghcr.io --username "${username}" --password-stdin
 
       - name: Extract image metadata
         id: meta
@@ -98,10 +103,14 @@ jobs:
       - name: Log in to GitHub Container Registry for Helm
         shell: bash
         run: |
-          echo "${TOKEN}" | helm registry login ghcr.io --username "${ACTOR}" --password-stdin
+          username="${GHCR_USERNAME:-${GITHUB_ACTOR}}"
+          token="${GHCR_TOKEN:-${GITHUB_TOKEN_VALUE}}"
+          echo "::add-mask::${token}"
+          echo "${token}" | helm registry login ghcr.io --username "${username}" --password-stdin
         env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ACTOR: ${{ github.actor }}
+          GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          GITHUB_TOKEN_VALUE: ${{ github.token }}
 
       - name: Push Helm chart
         shell: bash
diff --git a/docs/operations/container-image.md b/docs/operations/container-image.md
index e2f6ce5..bd766c4 100644
--- a/docs/operations/container-image.md
+++ b/docs/operations/container-image.md
@@ -112,6 +112,16 @@ It publishes on:
 - push of tags matching `v*`
 - manual workflow dispatch
 
+Registry authentication for publish:
+
+- default path: `github.token`
+- fallback path: repository or organization secrets `GHCR_USERNAME` and
+  `GHCR_TOKEN`
+
+Use the fallback secrets when the workflow can build successfully but GHCR
+rejects the push with `403 Forbidden`. That usually means the package is not
+granting write access to the repository-scoped workflow token.
+
 ## Helm Chart
 
 The kernel also ships a standalone Helm chart: