diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index e3b3209..2efce69 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -73,20 +73,25 @@ jobs:
         run: |
           set -euo pipefail
           
-          # Build the image (docker daemon doesn't need auth for the build)
+          # Build via docker (uses dind via DOCKER_HOST)
           docker build --pull \
             -t "${REGISTRY}/${IMAGE}:${VERSION}" \
-            -t "${REGISTRY}/${IMAGE}:latest" .
+            .
           
-          # Push with skopeo — always sends auth credentials, bypasses
-          # docker's challenge-retry logic that breaks with anonymous /v2/.
-          # skopeo copy reads creds from --src-creds / --dest-creds.
+          # Save image to OCI archive — this exports the layers to a tarball
+          # that skopeo can read directly, bypassing the docker socket
+          docker save "${REGISTRY}/${IMAGE}:${VERSION}" -o /tmp/image.tar
+          
+          # Push with skopeo from the archive
           skopeo copy --dest-creds "$REG_USER:$REG_PASS" \
-            "docker-daemon:${REGISTRY}/${IMAGE}:${VERSION}" \
+            "docker-archive:/tmp/image.tar" \
             "docker://${REGISTRY}/${IMAGE}:${VERSION}"
           
-          skopeo copy --dest-creds "$REG_USER:$REG_PASS" \
-            "docker-daemon:${REGISTRY}/${IMAGE}:latest" \
+          # Tag latest by copying within the registry (no rebuild needed)
+          skopeo copy \
+            --src-creds "$REG_USER:$REG_PASS" \
+            --dest-creds "$REG_USER:$REG_PASS" \
+            "docker://${REGISTRY}/${IMAGE}:${VERSION}" \
             "docker://${REGISTRY}/${IMAGE}:latest"
 
       - name: Tag git commit with version