diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 615f7d6..9f6b8a2 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -76,21 +76,22 @@ jobs:
           docker build --pull -t "${REGISTRY}/${IMAGE}:${VERSION}" .
           docker save "${REGISTRY}/${IMAGE}:${VERSION}" -o /tmp/image.tar
           
-          # Pre-authenticate via skopeo login so it caches the basic-auth header
-          # in /run/containers/0/auth.json. Then copy with no creds — uses cache.
-          mkdir -p /run/containers/0
-          skopeo login \
-            --username "$REG_USER" \
-            --password "$REG_PASS" \
-            "${REGISTRY}"
+          # Write auth file using printf (no shell interpretation of password content)
+          AUTH=$(printf '%s:%s' "$REG_USER" "$REG_PASS" | base64 -w0)
+          mkdir -p /tmp/auth
+          printf '{"auths":{"%s":{"auth":"%s"}}}\n' "$REGISTRY" "$AUTH" > /tmp/auth/auth.json
           
-          skopeo copy \
+          # Sanity check the file is readable and matches expected
+          cat /tmp/auth/auth.json
+          
+          skopeo copy --authfile /tmp/auth/auth.json \
             "docker-archive:/tmp/image.tar" \
             "docker://${REGISTRY}/${IMAGE}:${VERSION}"
           
-          skopeo copy \
+          skopeo copy --authfile /tmp/auth/auth.json \
             "docker://${REGISTRY}/${IMAGE}:${VERSION}" \
             "docker://${REGISTRY}/${IMAGE}:latest"
+
       - name: Tag git commit with version
         env:
           VERSION: ${{ steps.version.outputs.version }}