diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 1c7a5a677c..d0dfe91be7 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -134,7 +134,7 @@ jobs:
         if: ${{ inputs.should-upload-artefact-to-ecr }}
         uses: notaryproject/notation-action/sign@v1
         with:
-          plugin_name: aws-signer
+          plugin_name: notation-aws-signer
           plugin_url: https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip
           plugin_checksum: cccfe8fdcdf853d83fd57ffc80524eddda75ad7ae9d9a257b087007230ec02f9
           key_id: arn:aws:signer:eu-west-1:054614622558:/signing-profiles/vol_app_20240313124948142600000001
diff --git a/infra/terraform/modules/account/ecr.tf b/infra/terraform/modules/account/ecr.tf
index 8e41e35ec7..37816702b3 100644
--- a/infra/terraform/modules/account/ecr.tf
+++ b/infra/terraform/modules/account/ecr.tf
@@ -10,8 +10,19 @@ module "ecr" {
 
   repository_name = "vol-app/${each.key}"
 
-  repository_read_access_arns       = var.ecr_read_access_arns
-  repository_read_write_access_arns = var.ecr_read_write_access_arns
+  repository_read_access_arns = concat(
+    [
+      module.github[0].oidc_readonly_role_arn,
+    ],
+    var.ecr_read_access_arns
+  )
+
+  repository_read_write_access_arns = concat(
+    [
+      module.github[0].oidc_role_arn,
+    ],
+    var.ecr_read_write_access_arns
+  )
 
   create_lifecycle_policy = true
   repository_lifecycle_policy = jsonencode({
diff --git a/infra/terraform/modules/github/README.md b/infra/terraform/modules/github/README.md
index e5e47c0ec5..069b51b3f4 100644
--- a/infra/terraform/modules/github/README.md
+++ b/infra/terraform/modules/github/README.md
@@ -38,5 +38,6 @@ No resources.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_oidc_readonly_role_arn"></a> [oidc\_readonly\_role\_arn](#output\_oidc\_readonly\_role\_arn) | The ARN of the GitHub Readonly OIDC role |
 | <a name="output_oidc_role_arn"></a> [oidc\_role\_arn](#output\_oidc\_role\_arn) | The ARN of the GitHub OIDC role |
 <!-- END_TF_DOCS -->
diff --git a/infra/terraform/modules/github/outputs.tf b/infra/terraform/modules/github/outputs.tf
index fe4dc185fc..17db045e54 100644
--- a/infra/terraform/modules/github/outputs.tf
+++ b/infra/terraform/modules/github/outputs.tf
@@ -2,3 +2,8 @@ output "oidc_role_arn" {
   description = "The ARN of the GitHub OIDC role"
   value       = try(module.iam_github_oidc_role[0].arn, null)
 }
+
+output "oidc_readonly_role_arn" {
+  description = "The ARN of the GitHub Readonly OIDC role"
+  value       = try(module.iam_github_oidc_readonly_role[0].arn, null)
+}