Gitea's docker login is lenient and accepts the org name as a username
at handshake time, but the per-scope token exchange that buildkit
performs for blob operations needs to resolve a real user identity.
Using admin (the user that owns REGISTRY_TOKEN) prevents 401s on
blob HEAD requests during push.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tagging :latest on every push to local made every CI run try to
overwrite the existing :latest manifest. The Gitea registry rejected
the overwrite, causing builds to fail. Branch builds now produce
only the immutable SHA tag; :latest is reserved for vX.Y.Z tag pushes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Change runner from runners-farhoodlabs to ubuntu-latest across all fork
workflows. Update container registry from ghcr.io to git.farh.net and
authenticate with REGISTRY_TOKEN. Migrate update-infra API calls from
GitHub to Gitea. Disable refresh-lockfile.yml (requires GitHub gh CLI).
Update CLAUDE.md references.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Pulls the prod image up to the same toolset as the dev image (kubectl,
kubeseal, uv/uvx, forgejo CLIs, nano, vim) without diverging the upstream
root Dockerfile. Both build-dev.yml and build-prod.yml now share the same
fork-overlay Dockerfile; only the image tag and trigger branch differ.
Chris Farhood