ci: fix permissions and steps

.github/workflows/nightly-release.yaml

@@ -21,11 +21,13 @@ jobs:
           if [[ $(git rev-list --after="24 hours" --first-parent HEAD) ]]; then
             echo "should_run=true" >> $GITHUB_OUTPUT
           fi
-  build_release:
-    name: Build and release Docker image
+  build_tag_publish:
+    name: Build, tag and publish Docker image
     runs-on: ubuntu-latest
     needs: check_date
     if: needs.check_date.outputs.should_run == 'true'
+    permissions:
+      packages: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3

.github/workflows/publish.yaml

@@ -1,33 +1,36 @@
-name: Publish Docker image
+name: Publish
 on:
   push:
     tags:
       - 'v*'
 jobs:
-  publish:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-    - name: Login to GitHub Container Registry
-      if: steps.release.outputs.release_created == 'true'
-      uses: docker/login-action@v2
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Extract metadata (tags, labels) for Docker
-      if: steps.release.outputs.release_created == 'true'
-      id: docker_metadata
-      uses: docker/metadata-action@v4
-      with:
-        images: ghcr.io/${{ github.repository }}
-        tags: |
-          type=raw,value=latest
-          type=semver,pattern={{version}}
-    - name: Build and push Docker image
-      if: steps.release.outputs.release_created == 'true'
-      uses: docker/build-push-action@v3
-      with:
-        context: .
-        labels: ${{ steps.docker_metadata.outputs.labels }}
-        push: true
-        tags: ${{ steps.meta.outputs.tags }}
+  build_tag_publish:
+    name: Build, tag and publish Docker image
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        if: steps.release.outputs.release_created == 'true'
+        id: docker_metadata
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=raw,value=latest
+            type=semver,pattern={{version}}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          labels: ${{ steps.docker_metadata.outputs.labels }}
+          push: true
+          tags: ${{ steps.docker_metadata.outputs.tags }}

.github/workflows/release.yaml

@@ -4,8 +4,8 @@ on:
     branches:
       - main
 jobs:
-  build_tag_release:
-    name: Build, tag, and release Docker image
+  release:
+    name: Create release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository