What's the idiomatic way of using gitea-hosted container images in Actions jobs?

Gitea Container Registry is working great, and I can push an image to either organization or a user.

I’ve scanned tons of docs and forum posts to check what’s the idiomatic way to use your own container image in a job, i.e. something like:

runs-on: ubuntu-latest
container:
  image: git.example.com/some-org/some-image
  # credentials: ?

A few questions:

  • Are we supposed to pass user’s own login and password to Gitea as username/password to this (via secrets)? That would seem pretty awkward
  • Are we supposed to use the gitea_token, or a PAT? In which case, PAT for which user? And how exactly to use PAT here? I don’t think this is documented anywhere and I could find no examples.
  • Is there a distinction between “some other registry” and “this gitea’s registry”? I.e., should there be a simplified less-verbose way of accessing your own registry’s images given that it’s not really ‘external’? (again, maybe there’s a way but I couldn’t find anytning)

(Also, in the docs, I have found a section Access Restrictions that describes the difference between access levels but I’m not sure it works for container images, or how is it supposed to work when a runner is executing a job? I was assuming that if the image is attached to a public org, any runner job will have access to it without having to pass credentials, but I was wrong)