diff --git a/.github/workflows/ko-publish.yaml b/.github/workflows/ko-publish.yaml
index 9a519844..441a4598 100644
--- a/.github/workflows/ko-publish.yaml
+++ b/.github/workflows/ko-publish.yaml
@@ -12,10 +12,8 @@ on:
 jobs:
   ko-publish:
     permissions:
-      contents: write
       id-token: write
       packages: write
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
@@ -28,4 +26,7 @@ jobs:
     - name: Run ko
       run: |
         set -e
-        KO_REGISTRY=ghcr.io/kyverno/kyverno-envoy-plugin make publish-ko
+        REGISTRY=ghcr.io \
+        REGISTRY_USERNAME=${{ github.actor }} \
+        REGISTRY_PASSWORD=${{ secrets.GITHUB_TOKEN }} \
+        make publish-ko
diff --git a/Makefile b/Makefile
index ddc1bd84..c7a5814b 100644
--- a/Makefile
+++ b/Makefile
@@ -16,6 +16,9 @@ else
 LD_FLAGS                           := "-s -w"
 endif
 KIND_IMAGE                         ?= kindest/node:v1.29.2
+REGISTRY                           ?= ghcr.io
+REPO                               ?= kyverno
+IMAGE                              ?= kyverno-envoy-plugin
 KO_REGISTRY                        ?= ko.local
 KO_TAGS                            ?= $(GIT_SHA)
 KO_PLATFORMS                       ?= all
@@ -125,6 +128,10 @@ build:
 # BUILD (KO) #
 ##############
 
+.PHONY: ko-login
+ko-login: $(KO)
+	@$(KO) login $(REGISTRY) --username $(REGISTRY_USERNAME) --password $(REGISTRY_PASSWORD)
+
 .PHONY: build-ko
 build-ko: ## Build Docker image with ko
 build-ko: fmt
@@ -137,9 +144,10 @@ build-ko: $(KO)
 publish-ko: ## Publish Docker image with ko
 publish-ko: fmt
 publish-ko: vet
+publish-ko: ko-login
 publish-ko: $(KO)
 	@echo "Publish Docker image with ko..." >&2
-	@LD_FLAGS=$(LD_FLAGS) KO_DOCKER_REPO=$(KO_REGISTRY) $(KO) build . --bare --tags=$(KO_TAGS) --platform=$(KO_PLATFORMS)
+	@LD_FLAGS=$(LD_FLAGS) KO_DOCKER_REPO=$(REGISTRY)/$(REPO)/$(IMAGE) $(KO) build . --bare --tags=$(KO_TAGS) --platform=$(KO_PLATFORMS)
 
 ########
 # TEST #