diff --git a/.forgejo/workflows/self-deploy.yml b/.forgejo/workflows/self-deploy.yml
index d8ea6551b..ba4f5ca77 100644
--- a/.forgejo/workflows/self-deploy.yml
+++ b/.forgejo/workflows/self-deploy.yml
@@ -25,7 +25,7 @@ env:
 jobs:
   build:
     name: build, test, and publish server image
-    runs-on: docker
+    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.image.outputs.image }}
     steps:
@@ -69,20 +69,16 @@ jobs:
       - name: Generate release manifest
         run: npm run release:manifest -- --out dist/sf-release-manifest.json
 
-      - name: Login to registry
-        if: env.SF_REGISTRY_USER != '' && env.SF_REGISTRY_PASSWORD != ''
+      # Runner is a k8s pod (forgejo-runner ns) with Nix on PATH and no
+      # docker daemon — build and push via rootless buildah + skopeo from
+      # nixpkgs, matching the operator's documented runner contract.
+      - name: Build server image (rootless buildah)
         run: |
-          printf '%s' "$SF_REGISTRY_PASSWORD" | docker login "${SF_REGISTRY:-registry.centralcloud.com}" --username "$SF_REGISTRY_USER" --password-stdin
-
-      - name: Build server image
-        run: |
-          export DOCKER_BUILDKIT=1
-          export BUILDKIT_PROGRESS=plain
-          cache_ref="${SF_IMAGE_REPOSITORY:-${SF_REGISTRY:-registry.infra.centralcloud.com}/singularity/sf-server}:buildcache"
-          docker build \
+          set -euo pipefail
+          nix run nixpkgs#buildah -- bud \
+            --storage-driver=vfs \
+            --isolation=chroot \
             -f docker/Dockerfile.sf-server \
-            --cache-from "type=registry,ref=${cache_ref}" \
-            --cache-to "type=registry,ref=${cache_ref},mode=max" \
             --build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
             --build-arg "SF_GIT_REF=${GITHUB_REF_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \
             --build-arg "SF_RELEASE_IMAGE=${{ steps.image.outputs.image }}" \
@@ -90,15 +86,27 @@ jobs:
             -t "${{ steps.image.outputs.image }}" \
             .
 
-      - name: Push server image
+      - name: Push server image (skopeo)
         if: env.SF_PUSH_IMAGE != '0'
-        run: docker push "${{ steps.image.outputs.image }}"
+        run: |
+          set -euo pipefail
+          # Hand the buildah-built image to skopeo via containers-storage,
+          # authenticated against the SF registry.
+          creds_arg=""
+          if [ -n "${SF_REGISTRY_USER:-}" ] && [ -n "${SF_REGISTRY_PASSWORD:-}" ]; then
+            creds_arg="--dest-creds=${SF_REGISTRY_USER}:${SF_REGISTRY_PASSWORD}"
+          fi
+          nix run nixpkgs#skopeo -- copy \
+            --insecure-policy \
+            $creds_arg \
+            "containers-storage:[vfs@/var/lib/containers/storage+/var/run/containers/storage]${{ steps.image.outputs.image }}" \
+            "docker://${{ steps.image.outputs.image }}"
 
 
   deploy-test:
     name: deploy test and probe
     needs: build
-    runs-on: docker
+    runs-on: ubuntu-latest
     steps:
       - name: Configure kubeconfig
         run: |
@@ -129,7 +137,7 @@ jobs:
     needs:
       - build
       - deploy-test
-    runs-on: docker
+    runs-on: ubuntu-latest
     if: needs.deploy-test.result == 'success'
     steps:
       - name: Configure kubeconfig