What's the idiomatic way of using gitea-hosted container images in Actions jobs?

This setup doesn’t work for me:

name: Deploy website
on: [push]
    runs-on: ubuntu-latest
      image: gitea.example.com/private-org/image
        username: ${{ gitea.actor }}
        password: ${{ gitea.token }}
      - run: pwd

I’m not sure if the credentials are getting through:

ci(version:v0.2.8) received task 68 of job 73, be triggered by event: push
workflow prepared
evaluating expression 'success()'
expression 'success()' evaluated to 'true'
expression '${{ gitea.actor }}' rewritten to 'format('{0}', gitea.actor)'
evaluating expression 'format('{0}', gitea.actor)'
expression 'format('{0}', gitea.actor)' evaluated to '%!t(string=annika)'
expression '${{ gitea.token }}' rewritten to 'format('{0}', gitea.token)'
evaluating expression 'format('{0}', gitea.token)'
expression 'format('{0}', gitea.token)' evaluated to '%!t(string=***)'
🚀  Start image=gitea.example.com/private-org/image
  🐳  docker pull image=gitea.example.com/private-org/image platform= username=annika forcePull=false
  🐳  docker pull gitea.example.com/private-org/image
Image exists? false
pulling image 'gitea.example.com/private-org/image' ()
using authentication for docker pull
pulling image 'gitea.example.com/private-org/image' () failed with credentials Error response from daemon: unauthorized: authentication required retrying without them, please check for stale docker config files
Error response from daemon: unauthorized: authentication required