diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index e744e85..6d6b92d 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -136,13 +136,28 @@ jobs:
           VERSION: ${{ steps.version.outputs.version }}
         run: |
           set -euo pipefail
-          printf '%s' "$REG_PASS" \
-            | docker login "${REGISTRY}" -u "$REG_USER" --password-stdin
-          docker build \
-            --pull \
+
+          # Write docker auth config directly. This guarantees the Authorization
+          # header is sent on every request — including PATCH during blob
+          # upload — without depending on a credential store or `docker login`
+          # state. Resolves a known issue where docker-in-docker drops auth
+          # mid-push.
+          mkdir -p /tmp/docker-config
+          AUTH=$(printf '%s:%s' "$REG_USER" "$REG_PASS" | base64 -w 0)
+          cat > /tmp/docker-config/config.json <<EOF
+          {
+            "auths": {
+              "${REGISTRY}": {
+                "auth": "${AUTH}"
+              }
+            }
+          }
+          EOF
+          export DOCKER_CONFIG=/tmp/docker-config
+
+          docker build --pull \
             -t "${REGISTRY}/${IMAGE}:${VERSION}" \
-            -t "${REGISTRY}/${IMAGE}:latest" \
-            .
+            -t "${REGISTRY}/${IMAGE}:latest" .
           docker push "${REGISTRY}/${IMAGE}:${VERSION}"
           docker push "${REGISTRY}/${IMAGE}:latest"