diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index cdb6dd1..b95c298 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -20,8 +20,15 @@ on:
 
 jobs:
   buildAndPush:
+    permissions:
+      contents: read
+      packages: write
+    # Condition: Run on push to main, published release, OR PR with 'ok-to-image' label
+    if: |
+      github.event_name == 'push' ||
+      (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ok-to-image')) ||
+      (github.event_name == 'release' && github.event.action == 'published')
     runs-on: ubuntu-latest
-    if: contains(github.event.pull_request.labels.*.name, 'ok-to-image')
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5