bug: `gen.OCIRepository().LookupArtifact(ocirepo, META)` is not working without authentication

What happened:

Fetched a component descriptor in a public repository here: https://github.com/users/Skarlso/packages/container/package/component-descriptors%2Fgithub.com%2Facme%2Fpodinfo

Everything went fine, we were able to fetch the right resource data and everything.

However, during defer cv.Close() we noticed this error in the log:

2024-08-13T11:54:37Z    ERROR   component-controller    failed to close component version   {"controller": "component", "controllerGroup": "delivery.ocm.software", "controllerKind": "Component", "Component": {"name":"podinfo-component","namespace":"default"}, "namespace": "default", "name": "podinfo-component", "reconcileID": "f5cdc68d-f5b7-417a-bbe5-d1d6ee48e509", "error": "closing github.com/acme/podinfo:v6.0.0: unable to unref last: unable to cleanup component version  github.com/acme/podinfo/v6.0.0 while unref last: closing component version github.com/acme/podinfo:v6.0.0: cannot access meta data manifest version: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Askarlso%2Fcomponent-descriptors%3Apull&service=ghcr.io: 403 Forbidden"}
github.com/open-component-model/ocm-k8s-toolkit/internal/controller.(*ComponentReconciler).Reconcile.func2
    /Users/skarlso/goprojects/SAP/openfluxcd/ocm-k8s-toolkit/internal/controller/component_controller.go:138

Because the component is in a public repository, we didn't provide any access credentials and didn't expect to need any either.

This endpoint, however, is not accessible without authentication evidently.

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:

Environment:

open-component-model / ocm

bug: `gen.OCIRepository().LookupArtifact(ocirepo, META)` is not working without authentication #872