diff --git a/.forgejo/workflows/docker.yml b/.forgejo/workflows/docker.yml
index 278a963..f0c088d 100644
--- a/.forgejo/workflows/docker.yml
+++ b/.forgejo/workflows/docker.yml
@@ -48,20 +48,14 @@ jobs:
 
       - uses: actions/checkout@v4
 
-      - name: Install Docker
+      - name: Install skopeo
         run: |
           mkdir -p ~/.local/bin
-          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#docker -o ~/.local/docker
-          ln -sf ~/.local/docker/bin/docker ~/.local/bin/docker
+          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
+          ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ env.GITHUB_ACTOR }}
-          password: ${{ env.GITHUB_TOKEN }}
+      # Note: skopeo handles authentication via --dest-creds flag, so no separate login step needed
 
       - name: Extract Docker metadata
         id: meta
@@ -72,6 +66,17 @@ jobs:
       - name: Build Nix package
         run: nix build .#my-docker
 
+      - name: Verify built image
+        run: |
+          export TMPDIR=/tmp
+          mkdir -p $TMPDIR
+          IMAGE_PATH=$(readlink -f result)
+          echo "Image path: $IMAGE_PATH"
+          echo "Image file info:"
+          ls -la "$IMAGE_PATH"
+          echo "Verifying image structure..."
+          skopeo inspect tarball:"$IMAGE_PATH"
+
       # https://github.com/orgs/community/discussions/25768#discussioncomment-3249183
       - name: Downcase REPO
         run: |
@@ -83,11 +88,18 @@ jobs:
           echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
 
       # https://github.com/docker/build-push-action/issues/538
-      - name: Push and tag Docker image
+      - name: Push Docker image with skopeo
         run: |
-          docker load < result
-          docker tag ${{ env.STRIP_REPO_USERNAME }}:latest ${{ env.REGISTRY }}/${{ env.REPO }}:latest
-          docker push ${{ env.REGISTRY }}/${{ env.REPO }}:latest
+          export TMPDIR=/tmp
+          mkdir -p $TMPDIR
+          IMAGE_PATH=$(readlink -f result)
+          echo "Pushing image from: $IMAGE_PATH"
+          echo "Target registry: ${{ env.REGISTRY }}/${{ env.REPO }}:latest"
+          skopeo copy \
+            --insecure-policy \
+            --dest-creds "${{ env.GITHUB_ACTOR }}:${{ env.GITHUB_TOKEN }}" \
+            "tarball:$IMAGE_PATH" \
+            "docker://${{ env.REGISTRY }}/${{ env.REPO }}:latest"
 
       - name: Push to attic
         if: always()