diff --git a/.forgejo/workflows/self-deploy.yml b/.forgejo/workflows/self-deploy.yml
index d975608db..fdc69c79a 100644
--- a/.forgejo/workflows/self-deploy.yml
+++ b/.forgejo/workflows/self-deploy.yml
@@ -86,23 +86,21 @@ jobs:
       - name: Generate release manifest
         run: npm run release:manifest -- --out dist/sf-release-manifest.json
 
-      # Runner is a k8s pod (forgejo-runner ns) with Nix on PATH and no
-      # docker daemon — build and push via rootless buildah + skopeo from
-      # nixpkgs, matching the operator's documented runner contract.
-      - name: Build server image (rootless buildah)
+      # The forgejo-runner pod has /var/run/docker.sock mounted from the
+      # vega host (via the runner deployment in /srv/infra). docker CLI
+      # is on PATH via nixpkgs#docker-client. So: plain `docker build` and
+      # `docker push` against the host's docker daemon.
+      - name: Login to registry
+        if: env.SF_REGISTRY_USER != '' && env.SF_REGISTRY_PASSWORD != ''
+        run: |
+          printf '%s' "$SF_REGISTRY_PASSWORD" | docker login \
+            "${SF_REGISTRY:-registry.infra.centralcloud.com}" \
+            --username "$SF_REGISTRY_USER" --password-stdin
+
+      - name: Build server image
         run: |
           set -euo pipefail
-          # buildah needs a containers policy file; the runner image doesn't
-          # ship one. Write a permissive "trust-all" policy inline.
-          mkdir -p "$HOME/.config/containers"
-          printf '%s\n' '{"default":[{"type":"insecureAcceptAnything"}]}' \
-            > "$HOME/.config/containers/policy.json"
-          nix run nixpkgs#buildah -- bud \
-            --signature-policy="$HOME/.config/containers/policy.json" \
-            --storage-driver=vfs \
-            --root="$HOME/.local/share/containers/storage" \
-            --runroot="$HOME/.local/share/containers/runroot" \
-            --isolation=chroot \
+          docker build \
             -f docker/Dockerfile.sf-server \
             --build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
             --build-arg "SF_GIT_REF=${GITHUB_REF_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \
@@ -111,21 +109,9 @@ jobs:
             -t "${{ steps.image.outputs.image }}" \
             .
 
-      - name: Push server image (skopeo)
+      - name: Push server image
         if: env.SF_PUSH_IMAGE != '0'
-        run: |
-          set -euo pipefail
-          # Hand the buildah-built image to skopeo via containers-storage,
-          # authenticated against the SF registry.
-          creds_arg=""
-          if [ -n "${SF_REGISTRY_USER:-}" ] && [ -n "${SF_REGISTRY_PASSWORD:-}" ]; then
-            creds_arg="--dest-creds=${SF_REGISTRY_USER}:${SF_REGISTRY_PASSWORD}"
-          fi
-          nix run nixpkgs#skopeo -- copy \
-            --insecure-policy \
-            $creds_arg \
-            "containers-storage:[vfs@$HOME/.local/share/containers/storage+$HOME/.local/share/containers/runroot]${{ steps.image.outputs.image }}" \
-            "docker://${{ steps.image.outputs.image }}"
+        run: docker push "${{ steps.image.outputs.image }}"
 
 
   deploy-test: