diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
index 4aeb3ba..bcf9317 100644
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -51,11 +51,17 @@ jobs:
 
       - name: Log in to Gitea registry
         if: steps.meta.outputs.is_release == 'true'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ vars.REGISTRY }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+        env:
+          # The job image (node:20-bullseye) has no docker CLI, so docker/login-action
+          # can't run. buildx reads ~/.docker/config.json directly, so write the auth
+          # there ourselves. Secrets via env keep them out of the templated script.
+          REGISTRY: ${{ vars.REGISTRY }}
+          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: |
+          mkdir -p "$HOME/.docker"
+          AUTH="$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_PASSWORD" | base64 -w0)"
+          printf '{"auths":{"%s":{"auth":"%s"}}}' "$REGISTRY" "$AUTH" > "$HOME/.docker/config.json"
 
       - name: Build and push release image
         if: steps.meta.outputs.is_release == 'true'