From fe5692e3c4a5b7178d130ebeb5c1e200d56f971f Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 20 May 2026 23:41:59 +0600
Subject: [PATCH] Harden release workflow: packages:write, fetch-depth:0,
 ghcr.io login

- Add `permissions: packages: write` to the build job so the workflow's
  GITHUB_TOKEN can push to ghcr.io.
- Add `fetch-depth: 0` to the actions/checkout step so the full history
  is available for version derivation (e.g. `git describe`).
- Switch container-registry login to ghcr.io with `github.actor` /
  `GITHUB_TOKEN` via docker/login-action (replacing prior 1gtm /
  DOCKERHUB_TOKEN, and any inline `docker login` shell command).

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1c00007..1b6c561 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,6 +21,8 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
 
       - name: Print version info
         id: semver