diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 7c6fefe..8219dee 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -110,6 +110,24 @@ jobs:
       - name: Build live image
         run: make live-image
 
+      - name: Debug registry auth context
+        run: |
+          set -euo pipefail
+          echo "OWNER='${OWNER}'"
+          echo "LI_VERSION='${LI_VERSION}'"
+          echo "REGISTRY_URL='${REGISTRY_URL}'"
+          echo "TOKEN_LEN=${#REGISTRY_TOKEN}"
+          # Probe whoami via the token to confirm it authenticates and
+          # resolves to the expected user. A 401 here narrows the
+          # failure to token/secret injection; a 200 with a different
+          # username narrows it to OWNER mismatch.
+          curl -sS -o /tmp/whoami.json -w 'whoami_status=%{http_code}\n' \
+            -H "Authorization: token ${REGISTRY_TOKEN}" \
+            "${REGISTRY_URL}/api/v1/user"
+          echo "whoami body:"
+          cat /tmp/whoami.json
+          echo
+
       - name: Publish live-image/${{ env.LI_VERSION }}/
         run: |
           set -euo pipefail