diff --git a/.forgejo/workflows/release-image.yml b/.forgejo/workflows/release-image.yml
index 834b5602..069f1d34 100644
--- a/.forgejo/workflows/release-image.yml
+++ b/.forgejo/workflows/release-image.yml
@@ -53,6 +53,9 @@ jobs:
             let images = []
             if (process.env.BUILTIN_REGISTRY_ENABLED === "true") {
               images.push(builtinImage)
+            } else {
+              // Fallback to official registry for forks/PRs without credentials
+              images.push('forgejo.ellis.link/continuwuation/continuwuity')
             }
             core.setOutput('images', images.join("\n"))
             core.setOutput('images_list', images.join(","))
@@ -111,6 +114,7 @@ jobs:
         uses: docker/setup-qemu-action@v3
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Login to builtin registry
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ${{ env.BUILTIN_REGISTRY }}
@@ -207,7 +211,7 @@ jobs:
           cache-from: type=gha
           # cache-to: type=gha,mode=max
           sbom: true
-          outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true
+          outputs: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' && format('type=image,"name={0}",push-by-digest=true,name-canonical=true,push=true', needs.define-variables.outputs.images_list) || 'type=docker' }}
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
 
@@ -249,6 +253,7 @@ jobs:
     needs: [define-variables, build-image]
     steps:
       - name: Download digests
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         uses: forgejo/download-artifact@v4
         with:
           path: /tmp/digests
@@ -256,6 +261,7 @@ jobs:
           merge-multiple: true
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Login to builtin registry
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ${{ env.BUILTIN_REGISTRY }}
@@ -263,6 +269,7 @@ jobs:
           password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         uses: docker/setup-buildx-action@v3
         with:
           # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
@@ -270,6 +277,7 @@ jobs:
           endpoint: ${{ env.BUILDKIT_ENDPOINT || '' }}
 
       - name: Extract metadata (tags) for Docker
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         id: meta
         uses: docker/metadata-action@v5
         with:
@@ -287,6 +295,7 @@ jobs:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: index
 
       - name: Create manifest list and push
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         working-directory: /tmp/digests
         env:
           IMAGES: ${{needs.define-variables.outputs.images}}
@@ -304,6 +313,7 @@ jobs:
           done
 
       - name: Inspect image
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         env:
           IMAGES: ${{needs.define-variables.outputs.images}}
         shell: bash