diff --git a/.github/workflows/docker-build-publish.yml b/.github/workflows/docker-build-publish.yml
index 196c87c..5764b3a 100644
--- a/.github/workflows/docker-build-publish.yml
+++ b/.github/workflows/docker-build-publish.yml
@@ -111,6 +111,10 @@ jobs:
           if [ -n "${SSH_AUTH_SOCK:-}" ]; then
             SSH_BAKE_JSON='["default"]'
           fi
+          BAKE_ALLOW_FLAGS=()
+          if [ -n "${SSH_AUTH_SOCK:-}" ]; then
+            BAKE_ALLOW_FLAGS+=(--allow=ssh)
+          fi
 
           RAW_REF="${{ github.ref }}"
           SHA_FULL="${{ github.sha }}"
@@ -211,7 +215,7 @@ jobs:
               BAKE_FILE=$(mktemp)
               echo "$BAKE_JSON" > "$BAKE_FILE"
 
-              docker buildx bake --file "$BAKE_FILE" --push
+              docker buildx bake --file "$BAKE_FILE" --push "${BAKE_ALLOW_FLAGS[@]}"
               rm -f "$BAKE_FILE"
 
               while read -r img; do