diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 449be9a..c31d647 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -53,12 +53,12 @@ jobs:
           SECRET_IMAGE: ${{ secrets.REGISTRY_IMAGE }}
         run: |
           set -euo pipefail
-          username="${SECRET_USERNAME:-${GITHUB_ACTOR}}"
+          username="${SECRET_USERNAME:-}"
           password="${SECRET_PASSWORD:-${SECRET_TOKEN:-}}"
           image="${SECRET_IMAGE:-gitea.reversed.dev/space/evil-wordle}"
 
           if [ -z "$username" ]; then
-            echo "::error::Registry username is empty. Set REGISTRY_USERNAME or ensure GITHUB_ACTOR is available."
+            echo "::error::Registry username is empty. Set REGISTRY_USERNAME to the Gitea user that owns the token."
             exit 1
           fi
 
@@ -73,14 +73,18 @@ jobs:
           } >> "$GITHUB_OUTPUT"
 
           echo "::add-mask::$password"
-          echo "password=$password" >> "$GITHUB_OUTPUT"
 
       - name: Log in to Gitea registry
-        uses: docker/login-action@v3
-        with:
-          registry: gitea.reversed.dev
-          username: ${{ steps.registry.outputs.username }}
-          password: ${{ steps.registry.outputs.password }}
+        shell: bash
+        env:
+          REGISTRY_USERNAME: ${{ steps.registry.outputs.username }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+        run: |
+          set -euo pipefail
+          password="${REGISTRY_PASSWORD:-${REGISTRY_TOKEN:-}}"
+          echo "::add-mask::$password"
+          echo "$password" | docker login gitea.reversed.dev -u "$REGISTRY_USERNAME" --password-stdin
 
       - name: Compute image tags
         id: meta
@@ -116,6 +120,8 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          token="${REGISTRY_PASSWORD:-${REGISTRY_TOKEN:-}}"
+          export REGISTRY_PASSWORD="$token"
           python3 - <<'PY'
           import json
           import os
@@ -160,4 +166,5 @@ jobs:
               raise
           PY
         env:
-          REGISTRY_PASSWORD: ${{ steps.registry.outputs.password }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
diff --git a/README.md b/README.md
index c2aa166..b8d756c 100644
--- a/README.md
+++ b/README.md
@@ -37,11 +37,13 @@ Gitea Actions workflow: `.gitea/workflows/ci.yml`
 Required repository or organization secrets:
 
 - `REGISTRY_PASSWORD`: Gitea personal access token with package read/write access
-- `REGISTRY_USERNAME`: optional; defaults to the Gitea Actions actor
+- `REGISTRY_USERNAME`: Gitea username that owns the token
 - `REGISTRY_IMAGE`: optional; defaults to `gitea.reversed.dev/space/evil-wordle`
 
 The workflow also accepts `REGISTRY_TOKEN` as a fallback for `REGISTRY_PASSWORD`.
 
+For organization packages such as `space/evil-wordle`, the username is still the actual Gitea user account for the token, not the organization name. That user needs permission to publish packages under `space`.
+
 The workflow uses `catthehacker/ubuntu:act-latest`, Docker Buildx, and links the published package back to the `space/evil-wordle` repository through the Gitea API.
 
 On pushes to `main`, CI publishes: