fix(ci): Resolve registry push failures for fork PRs

Fork PRs now fail during Docker image build with 'tag is needed when
pushing to registry' because BUILTIN_REGISTRY_ENABLED evaluates to false
without proper credentials, leaving the images list empty. This appears
to be due to recent Forgejo permission changes affecting fork access to
repository secrets.

Add fallback to official registry when credentials unavailable, skip
registry login and push operations for forks, and make merge job
conditional since no digests exist without push. This allows forks to
test Docker builds whilst avoiding authentication failures.

.forgejo/workflows/release-image.yml

@@ -53,6 +53,9 @@ jobs:
             let images = []
             if (process.env.BUILTIN_REGISTRY_ENABLED === "true") {
               images.push(builtinImage)
+            } else {
+              // Fallback to official registry for forks/PRs without credentials
+              images.push('forgejo.ellis.link/continuwuation/continuwuity')
             }
             core.setOutput('images', images.join("\n"))
             core.setOutput('images_list', images.join(","))
@@ -111,6 +114,7 @@ jobs:
         uses: docker/setup-qemu-action@v3
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Login to builtin registry
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ${{ env.BUILTIN_REGISTRY }}
@@ -207,7 +211,7 @@ jobs:
           cache-from: type=gha
           # cache-to: type=gha,mode=max
           sbom: true
-          outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true
+          outputs: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' && 'type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true' || 'type=docker' }}
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
 
@@ -247,6 +251,7 @@ jobs:
   merge:
     runs-on: dind
     needs: [define-variables, build-image]
+    if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
     steps:
       - name: Download digests
         uses: forgejo/download-artifact@v4
@@ -256,6 +261,7 @@ jobs:
           merge-multiple: true
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Login to builtin registry
+        if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ${{ env.BUILTIN_REGISTRY }}