🐛 fix: revert GHCR auth to PAT-based secrets (#699)

PR #698 switched from secrets.GHCR_TOKEN / secrets.CR_TOKEN to
github.token for GHCR push. This broke releases because the GHCR
package doesn't grant the repo's GITHUB_TOKEN write access.

Revert Docker and Helm registry auth to the PAT-based secrets
(GHCR_TOKEN, CR_TOKEN, CR_USER) that were working before.
OCI labels in the Dockerfile are kept.

Signed-off-by: Andrew Anderson <andy@clubanderson.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: clubanderson

.github/workflows/ci-release.yaml

@@ -7,10 +7,6 @@ on:
   release:
     types: [published]  # Also runs when a GitHub release is published
 
-permissions:
-  contents: read
-  packages: write
-
 jobs:
   docker-build-and-push:
     runs-on: ubuntu-latest
@@ -46,11 +42,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
+        run: echo "${{ secrets.GHCR_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Build and push multi-arch image
         run: |

.github/workflows/helm-release.yaml

@@ -70,11 +70,7 @@ jobs:
       # 4. Log in to GHCR for Docker push
       # -----------------------------------------
       - name: Docker login GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
+        run: echo "${{ secrets.CR_TOKEN }}" | docker login ghcr.io -u ${{ secrets.CR_USER }} --password-stdin
 
       # -----------------------------------------
       # 5. Build and push multi-arch Docker image
@@ -125,10 +121,12 @@ jobs:
       # 8. Login to GHCR for chart publishing
       # -----------------------------------------
       - name: Login to GHCR (Helm)
+        env:
+          GITHUB_TOKEN: ${{ secrets.CR_TOKEN }}
         run: |
           helm registry login ghcr.io \
-            --username ${{ github.actor }} \
-            --password "${{ github.token }}"
+            --username ${{ secrets.CR_USER }} \
+            --password "$GITHUB_TOKEN"
           echo "Helm registry login successful"
 
       # -----------------------------------------
@@ -142,6 +140,8 @@ jobs:
       # 10. Push chart to GHCR
       # -----------------------------------------
       - name: Push Helm chart
+        env:
+          GITHUB_TOKEN: ${{ secrets.CR_TOKEN }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           CHART_FILE="workload-variant-autoscaler-${VERSION}.tgz"