diff --git a/.forgejo/workflows/publish-faceai-container.yml b/.forgejo/workflows/publish-faceai-container.yml
index ed2c720b..6bf289ff 100644
--- a/.forgejo/workflows/publish-faceai-container.yml
+++ b/.forgejo/workflows/publish-faceai-container.yml
@@ -24,10 +24,17 @@ jobs:
     runs-on: docker
     env:
       DOCKER_HOST: ${{ vars.DOCKER_HOST != '' && vars.DOCKER_HOST || 'tcp://172.17.0.1:2375' }}
+      REPO_SERVER_URL: ${{ forgejo.server_url }}
+      REPO_NAME: ${{ forgejo.repository }}
+      REPO_ACTOR: ${{ forgejo.actor }}
+      REPO_TOKEN: ${{ forgejo.token }}
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          token: ${{ forgejo.token }}
+          persist-credentials: true
 
       - name: Validate workflow variables
         run: |
@@ -69,9 +76,29 @@ jobs:
           mkdir -p "${HOME}/.local/bin"
           find . -type f -name git-lfs -exec cp {} "${HOME}/.local/bin/git-lfs" \;
           chmod +x "${HOME}/.local/bin/git-lfs"
-          echo "${HOME}/.local/bin" >> "${GITHUB_PATH}"
+          echo "${HOME}/.local/bin" >> "${FORGEJO_PATH}"
           "${HOME}/.local/bin/git-lfs" version
 
+      - name: Configure Git auth for Forgejo LFS
+        run: |
+          set -eu
+          if [ -z "${REPO_SERVER_URL}" ]; then
+            echo "forgejo.server_url is required for Forgejo LFS auth"
+            exit 1
+          fi
+          if [ -z "${REPO_NAME}" ]; then
+            echo "forgejo.repository is required for Forgejo LFS auth"
+            exit 1
+          fi
+          if [ -z "${REPO_ACTOR}" ] || [ -z "${REPO_TOKEN}" ]; then
+            echo "forgejo.actor and forgejo.token are required for Forgejo LFS auth"
+            exit 1
+          fi
+
+          AUTH_B64="$(printf '%s' "${REPO_ACTOR}:${REPO_TOKEN}" | base64 | tr -d '\n')"
+          git config --local "http.${REPO_SERVER_URL}/.extraheader" "AUTHORIZATION: basic ${AUTH_B64}"
+          git config --local lfs.url "${REPO_SERVER_URL}/${REPO_NAME}.git/info/lfs"
+
       - name: Validate Git LFS checkout for matcher binary
         run: |
           set -eu
@@ -127,7 +154,7 @@ jobs:
           mkdir -p "${HOME}/.local/bin"
           mv docker/docker "${HOME}/.local/bin/docker"
           chmod +x "${HOME}/.local/bin/docker"
-          echo "${HOME}/.local/bin" >> "${GITHUB_PATH}"
+          echo "${HOME}/.local/bin" >> "${FORGEJO_PATH}"
           "${HOME}/.local/bin/docker" --version
 
       - name: Ensure Docker Buildx exists
@@ -173,7 +200,7 @@ jobs:
         run: |
           set -eu
           IMAGE_REF="${REGISTRY}/${IMAGE_NAMESPACE}/${CLIENT_IMAGE_NAME}"
-          SHORT_SHA="$(echo "${GITHUB_SHA}" | cut -c1-12)"
+          SHORT_SHA="$(echo "${FORGEJO_SHA}" | cut -c1-12)"
           docker buildx build \
             --builder forgejo-builder \
             --file "${CLIENT_DOCKERFILE_PATH}" \
@@ -186,7 +213,7 @@ jobs:
         run: |
           set -eu
           IMAGE_REF="${REGISTRY}/${IMAGE_NAMESPACE}/${PROCESSOR_IMAGE_NAME}"
-          SHORT_SHA="$(echo "${GITHUB_SHA}" | cut -c1-12)"
+          SHORT_SHA="$(echo "${FORGEJO_SHA}" | cut -c1-12)"
           docker buildx build \
             --builder forgejo-builder \
             --file "${PROCESSOR_DOCKERFILE_PATH}" \