.gitea/workflows/build-and-publish.yml

@@ -23,13 +23,16 @@ jobs:
       - name: Set up Buildx
         uses: docker/setup-buildx-action@v3
 
+      # Uses a Personal Access Token with package read/write scope, stored as
+      # the PACKAGES_TOKEN secret. The auto-provided GITEA_TOKEN does not carry
+      # container-registry write permission on most Gitea instances.
       - name: Log in to the Gitea container registry
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.PACKAGES_TOKEN }}
 
       - name: Extract image metadata
         id: meta

README.md

@@ -46,9 +46,14 @@ docker run --rm -p 8080:8080 dlr
 
 `.gitea/workflows/build-and-publish.yml` builds the container with Gitea Actions
 and publishes it to this Gitea instance's container registry on pushes to `main`
-and on `v*` tags. Pull requests build the image but do not push. Authentication
-uses the automatically provided `GITEA_TOKEN`; the registry host is derived from
-the Gitea server URL.
+and on `v*` tags. Pull requests build the image but do not push. The registry
+host is derived from the Gitea server URL.
+
+Authentication requires a Personal Access Token with package read/write scope,
+because the automatically provided `GITEA_TOKEN` does not carry container
+registry write permission on most Gitea instances. Create the token under an
+account with write access to the target package namespace, then store it as a
+repository Actions secret named `PACKAGES_TOKEN`.
 
 The published image is `<gitea-host>/<owner>/<repo>`, tagged by branch, semver
 (for `v*` tags), commit SHA, and `latest` on the default branch.