diff --git a/.gitea/workflows/build-and-push.yaml b/.gitea/workflows/build-and-push.yaml
index 8b137cf..e129b63 100644
--- a/.gitea/workflows/build-and-push.yaml
+++ b/.gitea/workflows/build-and-push.yaml
@@ -67,10 +67,17 @@ jobs:
           echo "tag_latest=${IMAGE_NAME}:latest" >> "$GITHUB_OUTPUT"
 
       - name: Login to Harbor
+        # Pass secrets via env (not ${{ }} inlining) so shell quoting can't
+        # mangle them — e.g. a literal `$` in the robot username would be
+        # expanded by bash if inlined inside double quotes. printf (not echo)
+        # avoids appending a newline to the password sent to --password-stdin.
+        env:
+          HARBOR_USERNAME: ${{ secrets.HARBOR_USERNAME }}
+          HARBOR_PASSWORD: ${{ secrets.HARBOR_PASSWORD }}
         run: |
-          echo "${{ secrets.HARBOR_PASSWORD }}" \
-            | docker login "${{ env.HARBOR_REGISTRY }}" \
-                -u "${{ secrets.HARBOR_USERNAME }}" \
+          printf '%s' "$HARBOR_PASSWORD" \
+            | docker login "$HARBOR_REGISTRY" \
+                -u "$HARBOR_USERNAME" \
                 --password-stdin
 
       - name: Build image