CI: separate docker build and docker publish steps

.github/workflows/docker.yml

@@ -1,8 +1,9 @@
 name: "Publish Docker Image"
 
 env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+  USERNAME: "${{ github.actor }}"
+  PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
+  IMAGE_NAME: "${{ github.repository }}"
 
 on:
   pull_request:
@@ -32,22 +33,36 @@ jobs:
         uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
+      - name: Build Exposed Docker Image
+        run: nix build .#docker-nix --print-build-logs
+
+  publish-to-dockerhub:
+    name: "Publish Docker Image (Dockerhub)"
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Log into ghcr
         uses: docker/login-action@master
         with:
           registry: "${{ env.REGISTRY }}"
-          username: "${{ github.actor }}"
-          password: "${{ secrets.GITHUB_TOKEN }}"
-
-      - name: Build Exposed Docker Image
-        run: nix build .#docker-nix --print-build-logs
+          username: "${{ env.USERNAME }}"
+          password: "${{ env.PASSWORD }}"
 
       - name: Publish Docker Image
         run: |
           #!/usr/bin/env bash
           set -eu
 
-          docker login "${{ env.REGISTRY }}" --username "${{ github.actor}}" --password "${{ secrets.GITHUB_TOKEN}}"
+          docker login "docker.io" \
+            --username "${{ env.USERNAME}}" \
+            --password "${{ env.PASSWORD }}"
 
           # load the built image
           docker load -i result &&