Replace the raw latest-on-default-branch tag, which moved latest on every
main push, with metadata-action's latest=auto flavor so latest follows the
newest non-prerelease v* release. Add a {{major}} tag alongside the
existing version and major.minor semver tags; branch and SHA tags remain
for traceability of non-release builds.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The auto-provided GITEA_TOKEN does not carry container registry write
permission on most Gitea instances, causing docker login to fail with
"unauthorized". Use a Personal Access Token supplied via the
PACKAGES_TOKEN secret, with the package namespace owner as the username.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Emma Thorpe