diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
index ca79564..be25880 100644
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -25,40 +25,11 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Show variables and secrets
-        run: |
-          echo "HELLO_SECRET: ${HELLO_SECRET}"
-          echo "CI_GREETING: ${CI_GREETING}"
-          echo "REGISTRY_HOST: ${REGISTRY_HOST}"
-          echo "IMAGE_NAMESPACE: ${IMAGE_NAMESPACE}"
-          echo "IMAGE_NAME: ${IMAGE_NAME}"
-        env:
-          HELLO_SECRET: ${{ secrets.HELLO_SECRET }}
-
       - name: Trust cluster CA
         run: |
           cp /etc/cluster-ca/root-ca.crt /usr/local/share/ca-certificates/cluster-root-ca.crt
           update-ca-certificates
 
-      - name: Debug CA trust
-        run: |
-          echo "== cluster CA file =="
-          ls -l /etc/cluster-ca || true
-          ls -l /etc/cluster-ca/root-ca.crt || true
-          echo "== ca-certificates directory =="
-          ls -l /usr/local/share/ca-certificates || true
-          ls -l /etc/ssl/certs | grep sk4.nz || true
-          echo "== CA content (cluster) =="
-          openssl x509 -in /etc/cluster-ca/root-ca.crt -noout -subject -issuer -dates -fingerprint -sha256 || true
-          echo "== CA in system trust store? =="
-          grep -R "BEGIN CERTIFICATE" -n /etc/ssl/certs || true
-
-      - name: Debug docker registry trust
-        run: |
-          echo "== docker certs.d (job container) =="
-          ls -l /etc/docker/certs.d || true
-          ls -l /etc/docker/certs.d/harbor.k8s.sk4.nz || true
-
       - name: Install required dependencies
         run: |
           apt-get update
@@ -82,12 +53,12 @@ jobs:
       - name: Verify Docker CLI version
         run: docker --version
 
-      - name: Login to registry
+      - name: Login to docker-mirror (pull)
         run: |
-          echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
+          echo "${MIRROR_REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${MIRROR_REGISTRY_USERNAME}" --password-stdin
         env:
-          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          MIRROR_REGISTRY_USERNAME: ${{ secrets.MIRROR_REGISTRY_USERNAME }}
+          MIRROR_REGISTRY_TOKEN: ${{ secrets.MIRROR_REGISTRY_TOKEN }}
 
       - name: Build image
         run: |
@@ -95,11 +66,6 @@ jobs:
           echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
           docker build -t "${IMAGE_REF}" .
 
-
-      - name: Push image
-        run: |
-          docker push "${IMAGE_REF}"
-
       - name: Trivy scan (securecodebox)
         run: |
           docker run --rm \
@@ -123,3 +89,15 @@ jobs:
             -F "active=true"
         env:
           DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}
+
+      - name: Login to registry (push)
+        run: |
+          echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Push image
+        run: |
+          docker push "${IMAGE_REF}"
+