diff --git a/.gitea/workflows/docker-publish.yml b/.gitea/workflows/docker-publish.yml
index 150342b..ac75382 100644
--- a/.gitea/workflows/docker-publish.yml
+++ b/.gitea/workflows/docker-publish.yml
@@ -18,6 +18,8 @@ jobs:
           REPO_DIR="repo"
           SERVER_URL="${GITHUB_SERVER_URL:-$GITEA_SERVER_URL}"
           TOKEN="${GITHUB_TOKEN:-$GITEA_TOKEN}"
+          CLONE_USER="${{ secrets.REGISTRY_USERNAME }}"
+          CLONE_PASS="${{ secrets.REGISTRY_PASSWORD }}"
           REF_NAME="${GITHUB_REF_NAME}"
           if [ -z "${REF_NAME}" ]; then
             REF_NAME="${GITHUB_REF#refs/heads/}"
@@ -28,16 +30,22 @@ jobs:
             exit 1
           fi
 
-          if [ -z "${TOKEN}" ]; then
-            echo "Missing GITHUB_TOKEN/GITEA_TOKEN; cannot clone private repository"
+          rm -rf "${REPO_DIR}"
+
+          if [ -n "${TOKEN}" ]; then
+            git clone --depth 1 --branch "${REF_NAME}" \
+              "https://oauth2:${TOKEN}@${SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" \
+              "${REPO_DIR}"
+          elif [ -n "${CLONE_USER}" ] && [ -n "${CLONE_PASS}" ]; then
+            git clone --depth 1 --branch "${REF_NAME}" \
+              "https://${CLONE_USER}:${CLONE_PASS}@${SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" \
+              "${REPO_DIR}"
+          else
+            echo "Missing CI token and fallback clone credentials"
+            echo "Set GITHUB_TOKEN/GITEA_TOKEN or REGISTRY_USERNAME/REGISTRY_PASSWORD secrets"
             exit 1
           fi
 
-          rm -rf "${REPO_DIR}"
-          git clone --depth 1 --branch "${REF_NAME}" \
-            "https://oauth2:${TOKEN}@${SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" \
-            "${REPO_DIR}"
-
           if [ ! -f "${REPO_DIR}/Dockerfile" ]; then
             echo "Dockerfile not found after clone"
             exit 1