diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml
index 8efed6f..4ec1671 100644
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@@ -49,8 +49,29 @@ jobs:
         platform: [linux/amd64]
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      # Manual checkout that bypasses the runner's broken internal URL.
+      # The runner's `instance` is configured as http://forgejo:3000 which it
+      # cannot resolve, so actions/checkout@v4 fails. We clone from the
+      # public URL directly using REGISTRY_TOKEN for auth.
+      - name: Checkout (manual workaround for runner internal URL)
+        shell: bash
+        env:
+          TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          REPO:  ${{ gitea.repository }}
+          SHA:   ${{ gitea.sha }}
+        run: |
+          set -eo pipefail
+          # Don't echo the token-bearing URL into logs
+          set +x
+          REMOTE="https://mkm1971:${TOKEN}@cgi.medsys.cloud/${REPO}.git"
+          git init -q .
+          git remote add origin "$REMOTE"
+          git fetch --depth=1 origin "${SHA:-main}"
+          git checkout -q FETCH_HEAD
+          # Scrub the credential out of the remote so later steps can't leak it
+          git remote set-url origin "https://cgi.medsys.cloud/${REPO}.git"
+          set -x
+          git log --oneline -1
 
       - name: Compute tags
         id: tags