diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index aa36c51..e744e85 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -23,7 +23,7 @@ jobs:
 
     env:
       DOCKER_HOST: tcp://172.17.0.1:2375
-      
+
     outputs:
       version: ${{ steps.version.outputs.version }}
 
@@ -61,6 +61,69 @@ jobs:
           fi
           echo "version=${next}" >> "$GITHUB_OUTPUT"
 
+      - name: Diagnose push failure
+        env:
+          REG_USER: ${{ secrets.REGISTRY_USERNAME }}
+          REG_PASS: ${{ secrets.REGISTRY_PASSWORD }}
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          set +e
+          
+          echo "=== 1. Auth value lengths ==="
+          echo "USER length: ${#REG_USER}"
+          echo "PASS length: ${#REG_PASS}"
+          echo
+          
+          echo "=== 2. Test creds with curl POST blobs/uploads ==="
+          curl_resp=$(curl -s -o /dev/null -w 'http_code=%{http_code}' \
+            -u "$REG_USER:$REG_PASS" -X POST \
+            "https://${REGISTRY}/v2/${IMAGE}/blobs/uploads/")
+          echo "$curl_resp"
+          echo
+          
+          echo "=== 3. Docker login (verbose) ==="
+          printf '%s' "$REG_PASS" | docker login "${REGISTRY}" -u "$REG_USER" --password-stdin
+          echo "Exit code: $?"
+          echo
+          
+          echo "=== 4. Decoded auth from docker config ==="
+          if [ -f "$HOME/.docker/config.json" ]; then
+            decoded=$(jq -r '.auths["registry.c5ai.ch"].auth // empty' "$HOME/.docker/config.json" | base64 -d 2>/dev/null)
+            echo "Decoded length: ${#decoded}"
+            # Verify it equals USER:PASS
+            expected="${REG_USER}:${REG_PASS}"
+            if [ "$decoded" = "$expected" ]; then
+              echo "Stored auth matches expected USER:PASS"
+            else
+              echo "MISMATCH between stored auth and expected"
+              echo "Expected length: ${#expected}, stored length: ${#decoded}"
+            fi
+          fi
+          echo
+          
+          echo "=== 5. Pull tiny image (proves daemon connectivity) ==="
+          docker pull alpine:3.20 2>&1 | tail -3
+          echo
+          
+          echo "=== 6. Push tiny image ==="
+          docker tag alpine:3.20 "${REGISTRY}/${IMAGE}:debug-tiny"
+          docker push "${REGISTRY}/${IMAGE}:debug-tiny" 2>&1 | tail -10
+          echo "Exit code: $?"
+          echo
+          
+          echo "=== 7. Direct PUT manifest using curl (manifest endpoint) ==="
+          # If a layer exists already in the registry, we can test manifest auth alone
+          curl -s -o /dev/null -w 'http_code=%{http_code}\n' \
+            -u "$REG_USER:$REG_PASS" \
+            "https://${REGISTRY}/v2/${IMAGE}/manifests/0.1.4"
+          echo
+          
+          echo "=== 8. PATCH endpoint test (the operation that fails during push) ==="
+          # First initiate an upload to get a session URL
+          loc=$(curl -s -i -u "$REG_USER:$REG_PASS" -X POST \
+            "https://${REGISTRY}/v2/${IMAGE}/blobs/uploads/" | grep -i '^location:' | tr -d '\r' | awk '{print $2}')
+          echo "Upload location: $loc"
+
       - name: Build and push image
         # Combine login + build + push in a single run block. act_runner can
         # use ephemeral per-step containers in some configurations, in which