fix: login to registries before buildx setup for auth propagation

- Move Docker Hub + Gitea logins before setup-buildx-action so BuildKit
  container inherits credentials from ~/.docker/config.json
- Remove broken 'Configure Docker for insecure registry' step (DinD runner
  already configured via configmap daemon.json, systemd unavailable)
- Make Docker Hub login unconditional using secrets (not vars)
- Fixes 429 Too Many Requests on docker.io base image pulls

.gitea/workflows/ci.yml

@@ -83,26 +83,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          buildkitd-config-inline: |
-            [registry."gitea-http.gitea.svc.cluster.local:3000"]
-              http = true
-              insecure = true
-
-      - name: Configure Docker for insecure registry
-        run: |
-          sudo mkdir -p /etc/docker
-          echo '{"insecure-registries": ["${{ env.REGISTRY_HOST }}"]}' | sudo tee /etc/docker/daemon.json
-          sudo systemctl restart docker || sudo service docker restart || true
-          sleep 2
-
       - name: Login to Docker Hub
-        if: vars.DOCKERHUB_USERNAME != ''
         uses: docker/login-action@v3
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Gitea Registry
@@ -112,6 +96,14 @@ jobs:
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          buildkitd-config-inline: |
+            [registry."gitea-http.gitea.svc.cluster.local:3000"]
+              http = true
+              insecure = true
+
       - name: Extract metadata
         id: meta
         uses: docker/metadata-action@v5