diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index e1a14f1..b97f94f 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -61,19 +61,27 @@ jobs:
           fi
           echo "version=${next}" >> "$GITHUB_OUTPUT"
 
-      - name: Confirm auth headers
+      - name: Single shell test
         env:
           REG_USER: ${{ secrets.REGISTRY_USERNAME }}
           REG_PASS: ${{ secrets.REGISTRY_PASSWORD }}
         run: |
           set -x
-          # Show what docker config docker is actually reading
-          echo "DOCKER_CONFIG=$DOCKER_CONFIG"
-          ls -la ${DOCKER_CONFIG:-$HOME/.docker}/
-          cat ${DOCKER_CONFIG:-$HOME/.docker}/config.json
+          # All in one shell
+          mkdir -p /tmp/dc
+          AUTH=$(printf '%s:%s' "$REG_USER" "$REG_PASS" | base64 -w 0)
+          printf '{"auths":{"registry.c5ai.ch":{"auth":"%s"}}}' "$AUTH" > /tmp/dc/config.json
+          export DOCKER_CONFIG=/tmp/dc
           
-          # Use docker --debug to see actual HTTP requests
-          docker --log-level=debug push registry.c5ai.ch/pieced/pieced-portal:0.1.5 2>&1 | grep -iE "auth|401|header" | head -30
+          # Verify the file is there RIGHT NOW
+          ls -la /tmp/dc/
+          cat /tmp/dc/config.json
+          
+          # Push something — anything — using this config
+          docker pull alpine:3.20
+          docker tag alpine:3.20 registry.c5ai.ch/pieced/pieced-portal:debug-auth
+          docker push registry.c5ai.ch/pieced/pieced-portal:debug-auth
+          docker info 2>&1 | grep -i config
 
       - name: Build and push image
         # Combine login + build + push in a single run block. act_runner can