The auto-issued GITEA_TOKEN in Actions does not carry write:package scope,
so the docker login step failed with 'unauthorized'. Switching to a user-
supplied secret REGISTRY_TOKEN (PAT with write:package + read:package).
Setup on Gitea side:
1. Profile → Settings → Applications → Generate New Token
with scopes write:package + read:package.
2. Repo → Settings → Actions → Secrets → add REGISTRY_TOKEN = <that PAT>.
Optional: REGISTRY_USER if the owning account differs from gitea.actor.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Runner is arm64, so native build is much faster than amd64-via-QEMU.
Dev/test amd64 images can still be built locally with 'docker build'.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
On push to main (or version tag), the workflow logs into the Gitea container
registry, builds a multi-tag image (sha-<short>, branch name, 'latest' on main,
version on tag) and pushes to gitea.siegeln.net/<owner>/<repo>.
docker-compose.prod.yml now pulls from the registry by default, with
KOCHWAS_TAG env var to pin a specific build.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
