diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0309e4b..ddf0c02 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,6 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       security-events: write  # permit upload of sarif output from the workflow
+      contents: read
+      packages: write
+      id-token: write
     env:
       GROCY_IMAGE_TAG: ${{ github.event.release.tag_name }}
     steps:
@@ -54,33 +57,13 @@ jobs:
       with:
         image: ${{ steps.build-grocy-backend.outputs.image }}
         tags: ${{ steps.build-grocy-backend.outputs.tags }}
-        registry: docker.io/grocy
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
     - uses: redhat-actions/push-to-registry@v2.5
       with:
         image: ${{ steps.build-grocy-frontend.outputs.image }}
         tags: ${{ steps.build-grocy-frontend.outputs.tags }}
-        registry: docker.io/grocy
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-    # Perform vulnerability scanning
-    ## Note: please move this to *before* the container publish steps after confirming a way to use anchore/scan-action with locally-built OCI images
-    - id: scan-grocy-backend
-      uses: anchore/scan-action@v3
-      with:
-        image: docker.io/grocy/${{ steps.build-grocy-backend.outputs.image-with-tag }}
-        fail-build: false  # TODO: remove this when scan-action steps are moved to before container publish
-    - uses: github/codeql-action/upload-sarif@v2
-      with:
-        category: scan-grocy-backend
-        sarif_file: ${{ steps.scan-grocy-backend.outputs.sarif }}
-    - id: scan-grocy-frontend
-      uses: anchore/scan-action@v3
-      with:
-        image: docker.io/grocy/${{ steps.build-grocy-frontend.outputs.image-with-tag }}
-        fail-build: false  # TODO: remove this when scan-action steps are moved to before container publish
-    - uses: github/codeql-action/upload-sarif@v2
-      with:
-        category: scan-grocy-frontend
-        sarif_file: ${{ steps.scan-grocy-frontend.outputs.sarif }}
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}