diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml
index c851f40..81b329e 100644
--- a/.github/workflows/release-image.yml
+++ b/.github/workflows/release-image.yml
@@ -2,6 +2,9 @@ name: Release Image
 
 # Reusable workflow: called from ci.yml after all checks pass.
 # Can also be dispatched manually for rebuilds or tag overrides.
+#
+# Pushes to the Gitea container registry (the same host the workflow runs on)
+# using the auto-provisioned GITHUB_TOKEN. No external secrets required.
 on:
   workflow_call:
     inputs:
@@ -9,11 +12,6 @@ on:
         description: Optional tag override, defaults to sha-<commit>
         required: false
         type: string
-    secrets:
-      GHCR_USERNAME:
-        required: true
-      GHCR_TOKEN:
-        required: true
   workflow_dispatch:
     inputs:
       image_tag:
@@ -23,6 +21,7 @@ on:
 
 permissions:
   contents: read
+  packages: write
 
 jobs:
   build-and-push:
@@ -35,12 +34,22 @@ jobs:
       - name: Set up Docker Buildx
         run: docker buildx create --use --name ci-builder 2>/dev/null || true
 
-      - name: Login to GHCR
-        # Requires Gitea secrets: GHCR_USERNAME (GitHub username) and
-        # GHCR_TOKEN (GitHub PAT with write:packages scope)
+      - id: registry
+        name: Resolve Gitea registry host
+        # GITHUB_SERVER_URL is the Gitea base URL (e.g. https://gitea.hartmut-noerenberg.com).
+        # Strip the scheme to get the container-registry host.
         run: |
-          echo "${{ secrets.GHCR_TOKEN }}" | \
-            docker login ghcr.io -u "${{ secrets.GHCR_USERNAME }}" --password-stdin
+          host="${GITHUB_SERVER_URL#https://}"
+          host="${host#http://}"
+          echo "host=${host}" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Gitea container registry
+        # GITHUB_TOKEN is auto-provisioned by Gitea Actions for the running
+        # workflow; no manual secret configuration required.
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | \
+            docker login "${{ steps.registry.outputs.host }}" \
+              -u "${{ github.actor }}" --password-stdin
 
       - id: vars
         name: Compute image refs
@@ -51,8 +60,9 @@ jobs:
           if [ -z "${image_tag}" ]; then
             image_tag="sha-${GITHUB_SHA}"
           fi
-          echo "app_image=ghcr.io/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT"
-          echo "migrator_image=ghcr.io/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT"
+          host="${{ steps.registry.outputs.host }}"
+          echo "app_image=${host}/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT"
+          echo "migrator_image=${host}/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT"
 
       # Guardrail anchor: target: runner
       - name: Build and push app image