Add docker env

.gitea/workflows/build.yml

@@ -21,9 +21,6 @@ jobs:
     # runner config, but self-hosted makes intent explicit.
     runs-on: ubuntu-latest
 
-    env:
-      DOCKER_HOST: tcp://172.17.0.1:2375
-
     outputs:
       version: ${{ steps.version.outputs.version }}
 
@@ -37,9 +34,12 @@ jobs:
         # strict semver (skips 'latest', 'dev', '<sha>-dirty', etc.), picks the
         # highest with version-sort, and bumps the patch component. If nothing
         # numeric exists yet (fresh registry), starts at 0.1.0.
+        env:
+          REG_USER: ${{ secrets.REGISTRY_USERNAME }}
+          REG_PASS: ${{ secrets.REGISTRY_PASSWORD }}
         run: |
           set -euo pipefail
-          tags_json=$(curl -sf -u "${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_PASSWORD }}" \
+          tags_json=$(curl -sf -u "$REG_USER:$REG_PASS" \
             "https://${REGISTRY}/v2/${IMAGE}/tags/list")
           highest=$(echo "$tags_json" \
             | jq -r '.tags // [] | .[]' \
@@ -58,16 +58,20 @@ jobs:
           fi
           echo "version=${next}" >> "$GITHUB_OUTPUT"
 
-      - name: Login to registry
-        run: |
-          echo "${{ secrets.REGISTRY_PASSWORD }}" \
-            | docker login "${REGISTRY}" -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
-
       - name: Build and push image
+        # Combine login + build + push in a single run block. act_runner can
+        # use ephemeral per-step containers in some configurations, in which
+        # case `docker login` from one step doesn't leave its cached
+        # ~/.docker/config.json visible to the next step. Doing everything
+        # in one shell session sidesteps that entirely.
         env:
+          REG_USER: ${{ secrets.REGISTRY_USERNAME }}
+          REG_PASS: ${{ secrets.REGISTRY_PASSWORD }}
           VERSION: ${{ steps.version.outputs.version }}
         run: |
           set -euo pipefail
+          printf '%s' "$REG_PASS" \
+            | docker login "${REGISTRY}" -u "$REG_USER" --password-stdin
           docker build \
             --pull \
             -t "${REGISTRY}/${IMAGE}:${VERSION}" \

.gitea/workflows/deploy.yml

@@ -24,11 +24,15 @@ jobs:
     steps:
       - name: Verify image exists in registry
         # Fail fast if the user typed a version that was never built. Catches
-        # typos before we touch the gitops repo.
+        # typos before we touch the gitops repo. Uses env-var pattern for
+        # credentials to avoid shell interpolation mangling special characters.
+        env:
+          REG_USER: ${{ secrets.REGISTRY_USERNAME }}
+          REG_PASS: ${{ secrets.REGISTRY_PASSWORD }}
         run: |
           set -euo pipefail
           status=$(curl -sf -o /dev/null -w '%{http_code}' \
-            -u "${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_PASSWORD }}" \
+            -u "$REG_USER:$REG_PASS" \
             "https://${REGISTRY}/v2/${IMAGE}/manifests/${{ inputs.version }}" \
             || true)
           if [ "$status" != "200" ]; then