diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 03453e6..8727c07 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -39,7 +39,6 @@ jobs:
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
-        if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
         with:
           cosign-release: 'v2.2.4'
@@ -53,7 +52,6 @@ jobs:
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ${{ env.REGISTRY }}
@@ -76,7 +74,7 @@ jobs:
         with:
           context: .
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
@@ -88,7 +86,6 @@ jobs:
       # transparency data even for private images, pass --force to cosign below.
       # https://github.com/sigstore/cosign
       - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
         env:
           # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
           TAGS: ${{ steps.meta.outputs.tags }}
diff --git a/pkg/issuer/config.go b/pkg/issuer/config.go
index 9fa7730..ce79d67 100644
--- a/pkg/issuer/config.go
+++ b/pkg/issuer/config.go
@@ -2,6 +2,7 @@ package issuer
 
 import (
 	"fmt"
+	"log/slog"
 	"net/url"
 	"os"
 	"strings"
@@ -53,6 +54,9 @@ func ConfigFromEnvs() (Config, error) {
 	config.DstPath = os.Getenv("dex_access_token_file")
 	config.Endpoint = os.Getenv("dex_endpoint")
 	config.BasicAuth = os.Getenv("dex_basic_auth")
+	config.Values.Del("access_token_file")
+	config.Values.Del("endpoint")
+	config.Values.Del("basic_auth")
 
 	var err error
 	if d := os.Getenv("dex_refresh_before"); d != "" {
@@ -64,6 +68,8 @@ func ConfigFromEnvs() (Config, error) {
 		config.RefreshBefore = 1 * time.Hour
 	}
 
+	slog.Debug("config loaded", "config", config)
+
 	return config, nil
 }
 
diff --git a/pkg/issuer/issuer.go b/pkg/issuer/issuer.go
index 59cfc7d..ec58fd0 100644
--- a/pkg/issuer/issuer.go
+++ b/pkg/issuer/issuer.go
@@ -50,6 +50,7 @@ func (iss *tokenIssuer) issue(ctx context.Context, config Config) (string, int,
 		user, password, _ := strings.Cut(config.BasicAuth, ":")
 		req.SetBasicAuth(user, password)
 	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 
 	resp, err := iss.client.Do(req)
 	if err != nil {