fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330)

Unblocks CAR-1132 production deploy. The automatic github.token has no
package/registry write scope; auth's proven-green ci.yml uses
secrets.REGISTRY_TOKEN instead.

cc @cpfarhood

.gitea/workflows/ci.yml

@@ -140,6 +140,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             APT_CACHE_BUST=${{ github.run_id }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Scan api image for vulnerabilities
         uses: anchore/scan-action@v5
@@ -160,9 +162,13 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
+          file: ./Dockerfile
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
+          cache-from: type=gha
 
       - name: Create git tag
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'