diff --git a/.gitea/workflows/deploy-staging.yml b/.gitea/workflows/deploy-staging.yml
index 23937b5..f044b97 100644
--- a/.gitea/workflows/deploy-staging.yml
+++ b/.gitea/workflows/deploy-staging.yml
@@ -5,28 +5,26 @@ on:
     branches:
       - staging
 
-# STAGING_REGISTRY must include the owner segment, e.g. git.yourdomain.com:3000/myorg
-# so images are correctly tagged as git.yourdomain.com:3000/myorg/storefront:staging
-# (see: troubleshooting #8 — missing /owner causes a 500 from Gitea registry)
+# Gitea Actions has no environment-level secrets (unlike GitHub Actions).
+# Staging and production secrets live at repo level, distinguished by prefix.
+# Production workflow uses the same names with PROD_ prefix.
+# (see: troubleshooting #8 — REGISTRY must include the owner segment)
 #
-# Required secrets:
-#   STAGING_REGISTRY          — host:port/owner  (e.g. git.yourdomain.com:3000/myorg)
-#   STAGING_REGISTRY_USER     — Gitea username
-#   STAGING_REGISTRY_TOKEN    — Gitea personal access token (package:write scope)
-#   STAGING_SSH_HOST          — use host.containers.internal, not the external IP
-#                               (see: troubleshooting #13 — VPS firewall blocks ext IP)
-#   STAGING_SSH_USER          — SSH user on the VPS
-#   STAGING_SSH_KEY           — SSH private key (full PEM)
-#   STAGING_SSH_PORT          — (optional) defaults to 22
+# Required secrets (repo → Settings → Secrets and Variables → Actions):
+#   STAGING_REGISTRY       — host:port/owner  (e.g. git.yourdomain.com:3000/myorg)
+#   STAGING_REGISTRY_USER  — Gitea username
+#   STAGING_REGISTRY_TOKEN — Gitea personal access token (package:write scope)
+#   STAGING_SSH_HOST       — use host.containers.internal, not the external IP
+#                            (see: troubleshooting #13 — VPS firewall blocks ext IP)
+#   STAGING_SSH_USER       — SSH user on the VPS
+#   STAGING_SSH_KEY        — SSH private key (full PEM)
+#   STAGING_SSH_PORT       — (optional) defaults to 22
 #
 # The Dockerfiles are expected at:
 #   apps/storefront/Dockerfile
 #   apps/admin/Dockerfile
 # Both receive ./out as build context (turbo prune output).
 
-env:
-  REGISTRY: ${{ secrets.STAGING_REGISTRY }}
-
 jobs:
   # ── 1. CI ───────────────────────────────────────────────────────────────────
 
@@ -81,6 +79,14 @@ jobs:
       - name: Prune workspace for ${{ matrix.app }}
         run: npx turbo prune ${{ matrix.app }} --docker
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          # docker-container driver spawns a privileged builder container which
+          # fails on rootless Podman. "docker" driver reuses the daemon directly.
+          # (see: troubleshooting #5)
+          driver: docker
+
       - name: Authenticate with registry
         # docker login sends HTTPS even for HTTP-only (insecure) registries, so it
         # fails before the daemon can handle it. Pre-populating config.json bypasses
@@ -89,7 +95,7 @@ jobs:
         run: |
           mkdir -p ~/.docker
           AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
-          REGISTRY_HOST=$(echo "${{ env.REGISTRY }}" | cut -d'/' -f1)
+          REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1)
           echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
 
       - name: Build & push ${{ matrix.app }}
@@ -98,7 +104,7 @@ jobs:
         # which fails on rootless Podman without --privileged. (see: troubleshooting #5)
         run: |
           SHORT_SHA="${GITHUB_SHA::7}"
-          IMAGE="${{ env.REGISTRY }}/${{ matrix.app }}"
+          IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}"
 
           docker build \
             -f apps/${{ matrix.app }}/Dockerfile \