diff --git a/.gitea/workflows/cd.yml b/.gitea/workflows/cd.yml
index ebdab4c..3a55e41 100644
--- a/.gitea/workflows/cd.yml
+++ b/.gitea/workflows/cd.yml
@@ -20,14 +20,25 @@ jobs:
 
       - name: Build and push image
         run: |
+          set -e
+          trap 'rm -f /tmp/supervisor-image.tar' EXIT
           IMAGE_TAG="${{ github.sha }}"
           echo "Building ${IMAGE}:${IMAGE_TAG}"
+
+          # Build to local OCI tar (no registry auth needed at build time)
           buildctl --addr "${BUILDKIT_HOST}" build \
             --frontend dockerfile.v0 \
             --local context=. \
             --local dockerfile=. \
             --opt build-arg:VERSION="${IMAGE_TAG}" \
-            --output "type=image,name=${IMAGE}:${IMAGE_TAG},push=true"
+            --output type=oci,dest=/tmp/supervisor-image.tar
+
+          # Push with skopeo using simple credential flag (avoids OAuth token flow)
+          skopeo copy \
+            oci-archive:/tmp/supervisor-image.tar \
+            docker://${IMAGE}:${IMAGE_TAG} \
+            --dest-creds "${{ secrets.REGISTRY_CREDS }}"
+
           echo "Built and pushed ${IMAGE}:${IMAGE_TAG}"
 
       - name: Update infra repo