ci: use GITHUB_TOKEN instead of CR_PAT for GHCR login

[chorrell]

The push job already has permissions: packages: write, so the built-in GITHUB_TOKEN is sufficient for authenticating with ghcr.io. This removes the need to create, rotate, or store a personal access token (CR_PAT) as a repo secret.

The CR_PAT secret can be deleted from the repository after this is merged.

[chorrell]

Build failure — one-time manual setup required

The push job failed with permission_denied: write_package on GHCR. The GITHUB_TOKEN already has packages: write scope, but GHCR package access is controlled separately from repository token permissions.

Because the ghcr.io/chorrell/json package was originally created via CR_PAT, it is not yet connected to this repository. The GITHUB_TOKEN can only push to packages that are explicitly linked to the repository that's running the workflow.

One-time fix (no code change needed):

1. Go to https://github.com/users/chorrell/packages/container/json/settings
2. Under "Manage Actions access", click "Add Repository"
3. Select chorrell/docker-json and set the role to Write
4. Re-run the failed job

After that, the GITHUB_TOKEN will work and the CR_PAT secret can be deleted from the repository.