diff --git a/.forgejo/workflows/docker.yml b/.forgejo/workflows/docker.yml
index 998c15c..711d38d 100644
--- a/.forgejo/workflows/docker.yml
+++ b/.forgejo/workflows/docker.yml
@@ -11,13 +11,9 @@ on:
       - 'src/food-market.infrastructure/**'
       - 'src/food-market.shared/**'
       - 'deploy/**'
-      - '.github/workflows/docker.yml'
+      - '.forgejo/workflows/docker.yml'
   workflow_dispatch:
 
-permissions:
-  contents: read
-  packages: write
-
 env:
   LOCAL_REGISTRY: 127.0.0.1:5001
 
@@ -28,44 +24,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Login to ghcr
-        env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ACTOR: ${{ github.actor }}
-        run: |
-          for i in 1 2 3 4 5; do
-            if echo "$TOKEN" | docker login ghcr.io -u "$ACTOR" --password-stdin; then
-              exit 0
-            fi
-            echo "login attempt $i failed, retrying in 15s"
-            sleep 15
-          done
-          exit 1
-
       - name: Build + push api
         env:
-          OWNER: ${{ github.repository_owner }}
           SHA: ${{ github.sha }}
         run: |
           docker build -f deploy/Dockerfile.api \
             -t $LOCAL_REGISTRY/food-market-api:$SHA \
-            -t $LOCAL_REGISTRY/food-market-api:latest \
-            -t ghcr.io/$OWNER/food-market-api:$SHA \
-            -t ghcr.io/$OWNER/food-market-api:latest .
-
-          # Push to LOCAL registry first (deploy depends on it) — it's on localhost, reliable.
+            -t $LOCAL_REGISTRY/food-market-api:latest .
           for tag in $SHA latest; do
-            docker push $LOCAL_REGISTRY/food-market-api:$tag || { echo "local push $tag failed"; exit 1; }
-          done
-
-          # Push to ghcr.io as off-site backup. Flaky on KZ network — retry, but don't fail the job.
-          for tag in $SHA latest; do
-            for i in 1 2 3 4 5; do
-              if docker push ghcr.io/$OWNER/food-market-api:$tag; then break; fi
-              echo "ghcr push $tag attempt $i failed, retrying in 15s"
-              sleep 15
-              [ $i -eq 5 ] && echo "::warning::ghcr push $tag failed after 5 attempts — local registry still has the image"
-            done
+            docker push $LOCAL_REGISTRY/food-market-api:$tag
           done
 
   web:
@@ -74,40 +41,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Login to ghcr
-        env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ACTOR: ${{ github.actor }}
-        run: |
-          for i in 1 2 3 4 5; do
-            if echo "$TOKEN" | docker login ghcr.io -u "$ACTOR" --password-stdin; then
-              exit 0
-            fi
-            echo "login attempt $i failed, retrying in 15s"
-            sleep 15
-          done
-          exit 1
-
       - name: Build + push web
         env:
-          OWNER: ${{ github.repository_owner }}
           SHA: ${{ github.sha }}
         run: |
           docker build -f deploy/Dockerfile.web \
             -t $LOCAL_REGISTRY/food-market-web:$SHA \
-            -t $LOCAL_REGISTRY/food-market-web:latest \
-            -t ghcr.io/$OWNER/food-market-web:$SHA \
-            -t ghcr.io/$OWNER/food-market-web:latest .
-
+            -t $LOCAL_REGISTRY/food-market-web:latest .
           for tag in $SHA latest; do
-            docker push $LOCAL_REGISTRY/food-market-web:$tag || { echo "local push $tag failed"; exit 1; }
-          done
-
-          for tag in $SHA latest; do
-            for i in 1 2 3 4 5; do
-              if docker push ghcr.io/$OWNER/food-market-web:$tag; then break; fi
-              echo "ghcr push $tag attempt $i failed, retrying in 15s"
-              sleep 15
-              [ $i -eq 5 ] && echo "::warning::ghcr push $tag failed after 5 attempts — local registry still has the image"
-            done
+            docker push $LOCAL_REGISTRY/food-market-web:$tag
           done