diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 72b72cd..a2e3f15 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -34,7 +34,7 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     permissions:
-      contents: read
+      contents: write
       packages: write
       id-token: write # needed for provenance attestation
       attestations: write # needed for provenance attestation
@@ -42,15 +42,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
       - name: Login to Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ github.token }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Export build information
         run: |
@@ -86,7 +86,7 @@ jobs:
           cache-to: type=gha,mode=max
           # outputs: type=image,name=ghcr.io/${{ github.repository }},push-by-digest=true,name-canonical=true,push=${{ inputs.push-image }}
           build-args: |
-            GH_TOKEN=${{ secrets.GH_PAT }}
+            GHI_TOKEN=${{ secrets.GH_PAT }}
             PRIVATE_REPO_HOST=github.com/scality
             BUILD_DATE=${{ fromJson(steps.meta.outputs.json)['org.opencontainers.image.created'] }}
             GIT_COMMIT=${{ github.sha }}
diff --git a/Dockerfile b/Dockerfile
index f2d3736..fce8cbf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 # Build the manager binary
 FROM golang:1.24 AS builder
 
-ARG GH_TOKEN
+ARG GHI_TOKEN
 
 ARG PRIVATE_REPO_HOST=github.com/scality
 
@@ -12,8 +12,8 @@ WORKDIR /workspace
 
 RUN go env -w GOPRIVATE=${PRIVATE_REPO_HOST}
 
-RUN if [ -z "$GH_TOKEN" ]; then echo "GH_TOKEN is missing"; exit 1; fi && \
-    git config --global url."https://oauth2:${GH_TOKEN}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}"
+RUN if [ -z "$GHI_TOKEN" ]; then echo "GHI_TOKEN is missing"; exit 1; fi && \
+    git config --global url."https://oauth2:${GHI_TOKEN}@${PRIVATE_REPO_HOST}".insteadOf "https://${PRIVATE_REPO_HOST}"
 
 # Copy the Go Modules manifests
 COPY go.mod go.mod