workflow: authenticate GHCR pulls in holon-solve (#747)

* workflow: add best-effort GHCR auth for holon-solve

- request packages:read in holon-solve job permissions\n- attempt docker login to ghcr.io before running holon (best effort)\n- add packages:read to generated holon trigger template\n\nThis fixes private GHCR base image pull failures in downstream repos using holon-solve.

* Update .github/workflows/holon-solve.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: jolestar

.github/workflows/holon-solve.yml

@@ -582,6 +582,7 @@ jobs:
       issues: write
       pull-requests: write
       id-token: write
+      packages: read
     outputs:
       result: ${{ steps.result.outputs.result }}
       summary: ${{ steps.result.outputs.summary }}
@@ -834,6 +835,17 @@ jobs:
           fi
           docker info
 
+      - name: Login to GHCR (best effort)
+        if: steps.gate.outputs.should_run == 'true' && runner.os == 'Linux'
+        run: |
+          set -euo pipefail
+
+          if printf '%s' "${{ github.token }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin; then
+            echo "Authenticated to ghcr.io with github.token."
+          else
+            echo "::warning title=GHCR Auth::Failed to authenticate to ghcr.io with github.token. Private GHCR base images may fail to pull. Ensure caller workflow grants permissions.packages=read."
+          fi
+
       - name: Run Holon
         id: run
         if: steps.gate.outputs.should_run == 'true'

cmd/holon/templates/workflow.yml

@@ -17,6 +17,7 @@ permissions:
   issues: write
   pull-requests: write
   id-token: write
+  packages: read
 
 jobs:
   holon: