- Move Docker Hub + Gitea logins before setup-buildx-action so BuildKit
container inherits credentials from ~/.docker/config.json
- Remove broken 'Configure Docker for insecure registry' step (DinD runner
already configured via configmap daemon.json, systemd unavailable)
- Make Docker Hub login unconditional using secrets (not vars)
- Fixes 429 Too Many Requests on docker.io base image pulls
- Docker Hub login now happens before Gitea login, both via login-action
- Previous manual config.json write was clobbering Docker Hub auth
- buildx docker-container driver inherits auth from login-action correctly
- Fixes 429 Too Many Requests from unauthenticated Docker Hub pulls
Ruff runs via uvx in its own isolated environment and does not need
the project's runtime dependencies installed. This avoids PEP 668
externally-managed-environment errors on Debian-based runners.
