diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index 8f3a32f..9b1c7ac 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -179,6 +179,9 @@ jobs:
 
           # Ensure token endpoint host resolves to internal network IP from runner.
           # Registry auth flow may redirect to ${GITEA_HOST} even when pushing to REGISTRY_HOST.
+          # Replace old mapping if present and pin host to internal IP.
+          grep -v "[[:space:]]${GITEA_HOST}$" /etc/hosts > /tmp/hosts.cleaned || true
+          cat /tmp/hosts.cleaned > /etc/hosts
           echo "${REGISTRY_IP} ${GITEA_HOST}" >> /etc/hosts
           getent hosts "${GITEA_HOST}" || true
 
@@ -187,6 +190,8 @@ jobs:
           unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY all_proxy ALL_PROXY
           export NO_PROXY="${NO_PROXY:-},${REGISTRY_IP},${GITEA_HOST}"
           export no_proxy="${no_proxy:-},${REGISTRY_IP},${GITEA_HOST}"
+          # Force pure Go resolver for crane to honor /etc/hosts mapping first.
+          export GODEBUG=netdns=go
 
           echo "${REGISTRY_PASSWORD}" | ./crane auth login --insecure "${REGISTRY_HOST}" -u "${REGISTRY_USER}" --password-stdin