diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index 01f73a0..b1e9b5b 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -169,9 +169,15 @@ jobs:
           SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
           REPO_OWNER="${GITHUB_REPOSITORY%%/*}"
           REGISTRY="${REGISTRY_HOST}/${REPO_OWNER}"
+          GITEA_HOST=$(echo "${GITHUB_SERVER_URL}" | sed -E 's#https?://([^/:]+).*#\1#')
 
           echo "Registry: ${REGISTRY_HOST}"
           echo "Actor: ${GITHUB_ACTOR}"
+          echo "Gitea host: ${GITEA_HOST}"
+
+          # Ensure token endpoint host resolves to internal network IP from runner.
+          # Registry auth flow may redirect to ${GITEA_HOST} even when pushing to REGISTRY_HOST.
+          echo "10.10.0.10 ${GITEA_HOST}" >> /etc/hosts
 
           echo "${REGISTRY_PASSWORD}" | ./crane auth login --insecure "${REGISTRY_HOST}" -u "${REGISTRY_USER}" --password-stdin