.gitea/workflows/ci-arm64-advisory.yml

@@ -101,7 +101,7 @@ jobs:
     # AND-set: only the Mac arm64 runner advertises macos-self-hosted.
     # See "RUNNER TARGETING" header note for why bare self-hosted is unsafe.
     runs-on: [self-hosted, macos-self-hosted]
-    # ADVISORY: never blocks. See safety contract point 3.
+    # ADVISORY: never blocks. See safety contract point 3. mc#774
     continue-on-error: true
     # event_name gate: functional (only meaningful on push/PR) AND keeps
     # this job out of ci-required-drift.py:ci_job_names() so F1 can never

.gitea/workflows/publish-canvas-image.yml

@@ -73,6 +73,17 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      # Keep Docker auth/buildx state inside the job temp dir. Publish
+      # runners can inherit a HOME/DOCKER_CONFIG path that is host-owned
+      # and not writable from the job container; docker login otherwise
+      # fails before the image build starts.
+      - name: Prepare writable Docker config
+        run: |
+          set -euo pipefail
+          export DOCKER_CONFIG="$RUNNER_TEMP/docker-config"
+          mkdir -p "$DOCKER_CONFIG/buildx/certs"
+          echo "DOCKER_CONFIG=$DOCKER_CONFIG" >> "$GITHUB_ENV"
+
       - name: Log in to ECR
         env:
           IMAGE_NAME: ${{ env.IMAGE_NAME }}