diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ace4da229..bb6738ff6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -629,6 +629,7 @@ jobs:
     uses: ./.github/workflows/docker-build.yml
     permissions:
       packages: write
+      contents: read
     secrets:
       DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
       DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index d842ef118..b3a11f108 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -18,7 +18,7 @@ on:
         type: string
 
 permissions:
-  packages: write
+  contents: read
 
 jobs:
   deploy-docker:
@@ -37,9 +37,11 @@ jobs:
 
     - name: Extract branch name
       id: extract-branch
+      env:
+        BRANCH_NAME_INPUT: ${{ github.event.inputs.branch_name }}
       run: |
         if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-          BRANCH_NAME="${{ inputs.branch_name }}"
+          BRANCH_NAME="${BRANCH_NAME_INPUT}"
         else
           BRANCH_NAME="${GITHUB_REF##*/}"
         fi
@@ -95,9 +97,11 @@ jobs:
 
     - name: Extract branch name
       id: extract-branch
+      env:
+        BRANCH_NAME_INPUT: ${{ github.event.inputs.branch_name }}
       run: |
         if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-          BRANCH_NAME="${{ inputs.branch_name }}"
+          BRANCH_NAME="${BRANCH_NAME_INPUT}"
         else
           BRANCH_NAME="${GITHUB_REF##*/}"
         fi