diff --git a/.forgejo/workflows/docker.yml b/.forgejo/workflows/docker.yml
index 278a963..cbe71fc 100644
--- a/.forgejo/workflows/docker.yml
+++ b/.forgejo/workflows/docker.yml
@@ -48,20 +48,14 @@ jobs:
 
       - uses: actions/checkout@v4
 
-      - name: Install Docker
+      - name: Install skopeo
         run: |
           mkdir -p ~/.local/bin
-          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#docker -o ~/.local/docker
-          ln -sf ~/.local/docker/bin/docker ~/.local/bin/docker
+          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
+          ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ env.GITHUB_ACTOR }}
-          password: ${{ env.GITHUB_TOKEN }}
+      # Note: skopeo handles authentication via --dest-creds flag, so no separate login step needed
 
       - name: Extract Docker metadata
         id: meta
@@ -83,11 +77,13 @@ jobs:
           echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
 
       # https://github.com/docker/build-push-action/issues/538
-      - name: Push and tag Docker image
+      - name: Push Docker image with skopeo
         run: |
-          docker load < result
-          docker tag ${{ env.STRIP_REPO_USERNAME }}:latest ${{ env.REGISTRY }}/${{ env.REPO }}:latest
-          docker push ${{ env.REGISTRY }}/${{ env.REPO }}:latest
+          skopeo copy \
+            --insecure-policy \
+            --dest-creds "${{ env.GITHUB_ACTOR }}:${{ env.GITHUB_TOKEN }}" \
+            "docker-archive://$(readlink -f result)" \
+            "docker://${{ env.REGISTRY }}/${{ env.REPO }}:latest"
 
       - name: Push to attic
         if: always()