diff --git a/.forgejo/workflows/docker.yml b/.forgejo/workflows/docker.yml
index 278a963..569c759 100644
--- a/.forgejo/workflows/docker.yml
+++ b/.forgejo/workflows/docker.yml
@@ -48,21 +48,28 @@ jobs:
 
       - uses: actions/checkout@v4
 
-      - name: Install Docker
+      # Install skopeo from Nix (for daemonless image operations)
+      - name: Install skopeo
         run: |
           mkdir -p ~/.local/bin
-          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#docker -o ~/.local/docker
-          ln -sf ~/.local/docker/bin/docker ~/.local/bin/docker
+          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
+          ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
           echo "$HOME/.local/bin" >> $GITHUB_PATH
+          # Create a simple policy file for skopeo
+          mkdir -p ~/.config/containers
+          cat > ~/.config/containers/policy.json << 'EOF'
+          {
+            "default": [
+              {
+                "type": "insecureAcceptAnything"
+              }
+            ]
+          }
+          EOF
+          skopeo --version
 
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ env.GITHUB_ACTOR }}
-          password: ${{ env.GITHUB_TOKEN }}
-
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -83,11 +90,27 @@ jobs:
           echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
 
       # https://github.com/docker/build-push-action/issues/538
-      - name: Push and tag Docker image
+      - name: Push Docker image with skopeo
+        if: github.event_name != 'pull_request'
         run: |
-          docker load < result
-          docker tag ${{ env.STRIP_REPO_USERNAME }}:latest ${{ env.REGISTRY }}/${{ env.REPO }}:latest
-          docker push ${{ env.REGISTRY }}/${{ env.REPO }}:latest
+          # The Nix result is a compressed tarball, we need to extract it first
+          TARGET_FILE=$(readlink -f result)
+          echo "Target file: $TARGET_FILE"
+
+          # Extract the compressed tarball to get the docker archive
+          gunzip -c "$TARGET_FILE" > docker-image.tar
+
+          # Debug authentication
+          echo "Registry: ${{ env.REGISTRY }}"
+          echo "Repository: ${{ env.REPO }}"
+          echo "Username: ${{ github.actor }}"
+
+          # Copy the image directly from the extracted archive to the registry
+          skopeo copy \
+            --dest-creds="${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" \
+            --dest-tls-verify=false \
+            docker-archive:docker-image.tar \
+            docker://${{ env.REGISTRY }}/${{ env.REPO }}:latest
 
       - name: Push to attic
         if: always()