From b172b6a31928c32a3a73837a25bd0d90fa60a18c Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Wed, 27 May 2026 22:28:10 -0400
Subject: [PATCH] ci: log into registry as token owner (admin), not org name

Gitea's docker login is lenient and accepts the org name as a username
at handshake time, but the per-scope token exchange that buildkit
performs for blob operations needs to resolve a real user identity.
Using admin (the user that owns REGISTRY_TOKEN) prevents 401s on
blob HEAD requests during push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .farhoodlabs/.github/workflows/build-prod.yml | 2 +-
 .github/workflows/build-prod.yml              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.farhoodlabs/.github/workflows/build-prod.yml b/.farhoodlabs/.github/workflows/build-prod.yml
index 7340ec63..98a63c8e 100644
--- a/.farhoodlabs/.github/workflows/build-prod.yml
+++ b/.farhoodlabs/.github/workflows/build-prod.yml
@@ -24,7 +24,7 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: git.farh.net
-          username: ${{ gitea.repository_owner }}
+          username: admin
           password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Docker meta
diff --git a/.github/workflows/build-prod.yml b/.github/workflows/build-prod.yml
index 7340ec63..98a63c8e 100644
--- a/.github/workflows/build-prod.yml
+++ b/.github/workflows/build-prod.yml
@@ -24,7 +24,7 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: git.farh.net
-          username: ${{ gitea.repository_owner }}
+          username: admin
           password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Docker meta