fix: switch to plain docker build/push with insecure registry [skip images]

- Drop buildx (setup-buildx-action, build-push-action, buildkit config)
- Remove stale buildx builder cleanup step
- Use insecure registry config with SIGHUP daemon reload
- Use CLI docker login with org-level PAT secrets
- Drop registry build cache (incompatible with plain docker build)

.gitea/workflows/build-push.yaml

@@ -126,46 +126,21 @@ jobs:
         if: steps.check.outputs.skip != 'true'
         uses: actions/checkout@v4
 
-      # Clean stale buildx builders from persistent Docker cache (prevents GPU capability errors)
+      - name: Configure insecure registry
-      - name: Clean stale buildx builders
         if: steps.check.outputs.skip != 'true'
         run: |
-          for b in $(docker buildx ls --format '{{.Name}}' 2>/dev/null | grep -v default | grep -v '\*' | sort -u); do
+          sudo mkdir -p /etc/docker
-            docker buildx rm "$b" --force 2>/dev/null || true
+          echo '{"insecure-registries": ["${{ env.REGISTRY_HOST }}"]}' | sudo tee /etc/docker/daemon.json
-          done
+          sudo kill -SIGHUP "$(pidof dockerd)" || true
-          docker container prune --force 2>/dev/null || true
+          sleep 3
 
-      - name: Set up Docker Buildx
+      - name: Login to Gitea Registry
-        if: steps.check.outputs.skip != 'true'
+        if: steps.check.outputs.skip != 'true' && github.event_name != 'pull_request'
-        uses: docker/setup-buildx-action@v3
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "${{ env.REGISTRY_HOST }}" -u "${{ secrets.REGISTRY_USER }}" --password-stdin
-        with:
-          buildkitd-config-inline: |
-            [registry."gitea-http.gitea.svc.cluster.local:3000"]
-              http = true
-              insecure = true
 
       - name: Login to Docker Hub
         if: steps.check.outputs.skip != 'true' && vars.DOCKERHUB_USERNAME != ''
-        uses: docker/login-action@v3
+        run: echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login -u "${{ vars.DOCKERHUB_USERNAME }}" --password-stdin
-        with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Configure Gitea Registry Auth
-        if: steps.check.outputs.skip != 'true' && github.event_name != 'pull_request'
-        run: |
-          AUTH=$(echo -n "${{ secrets.REGISTRY_USER }}:${{ secrets.REGISTRY_TOKEN }}" | base64 -w0)
-          mkdir -p ~/.docker
-          cat > ~/.docker/config.json << EOF
-          {
-            "auths": {
-              "${{ env.REGISTRY_HOST }}": {
-                "auth": "$AUTH"
-              }
-            }
-          }
-          EOF
-          echo "Auth configured for ${{ env.REGISTRY_HOST }}"
 
       - name: Extract metadata
         if: steps.check.outputs.skip != 'true'
@@ -179,15 +154,23 @@ jobs:
 
       - name: Build and push
         if: steps.check.outputs.skip != 'true'
-        uses: docker/build-push-action@v5
+        run: |
-        with:
+          # Build with all tags
-          context: .
+          TAGS=""
-          file: dockerfiles/${{ matrix.dockerfile }}
+          while IFS= read -r tag; do
-          push: ${{ github.event_name != 'pull_request' }}
+            [ -n "$tag" ] && TAGS="$TAGS -t $tag"
-          tags: ${{ steps.meta.outputs.tags }}
+          done <<< "${{ steps.meta.outputs.tags }}"
-          labels: ${{ steps.meta.outputs.labels }}
+          docker build $TAGS \
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/ray-worker-${{ matrix.name }}:buildcache
+            --label "org.opencontainers.image.source=${{ gitea.server_url }}/${{ gitea.repository }}" \
-          cache-to: type=registry,ref=${{ env.REGISTRY }}/ray-worker-${{ matrix.name }}:buildcache,mode=max,image-manifest=true,compression=zstd
+            --label "org.opencontainers.image.revision=${{ gitea.sha }}" \
+            -f dockerfiles/${{ matrix.dockerfile }} \
+            .
+          # Push each tag (skip for PRs)
+          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
+            while IFS= read -r tag; do
+              [ -n "$tag" ] && docker push "$tag"
+            done <<< "${{ steps.meta.outputs.tags }}"
+          fi
 
   release:
     name: Release