diff --git a/.github/workflows/build-and-publish-docker.yaml b/.github/workflows/build-and-publish-docker.yaml
index 72976682..4b7fdf1c 100644
--- a/.github/workflows/build-and-publish-docker.yaml
+++ b/.github/workflows/build-and-publish-docker.yaml
@@ -44,37 +44,37 @@ jobs:
         uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4
         if: github.event_name != 'pull_request'
         with:
-            oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-            audience: ${{ secrets.TS_AUDIENCE }}
-            tags: tag:github-actions
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          audience: ${{ secrets.TS_AUDIENCE }}
+          tags: tag:github-actions
 
       - name: Compute vault jwt role name
         id: vault-jwt-role
         if: github.event_name != 'pull_request'
         run: |
-            echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
+          echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
 
       - name: Get team registry token
         id: import-secrets
         uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3
         if: github.event_name != 'pull_request'
         with:
-            url: https://vault.infra.ci.i.element.dev
-            role: ${{ steps.vault-jwt-role.outputs.role_name }}
-            path: service-management/github-actions
-            jwtGithubAudience: https://vault.infra.ci.i.element.dev
-            method: jwt
-            secrets: |
-                services/<team>-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
-                services/<team>-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
+          url: https://vault.infra.ci.i.element.dev
+          role: ${{ steps.vault-jwt-role.outputs.role_name }}
+          path: service-management/github-actions
+          jwtGithubAudience: https://vault.infra.ci.i.element.dev
+          method: jwt
+          secrets: |
+            services/<team>-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
+            services/<team>-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
 
       - name: Login to oci.element.io Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         if: github.event_name != 'pull_request'
         with:
-            registry: oci-push.vpn.infra.element.io
-            username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
-            password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
+          registry: oci-push.vpn.infra.element.io
+          username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
+          password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta