[Bug]: container image push fails with 401 on manifest PUT to ECR; pull from same registry succeeds

[SalladinBalwer]

I have done the following

• I have searched the existing issues
• If possible, I've reproduced the issue using the 'main' branch of this project

Steps to reproduce

# Login
aws ecr get-login-password --region <region> \
  | container registry login --username AWS --password-stdin \
    <account>.dkr.ecr.<region>.amazonaws.com

# Pull works fine
container image pull <account>.dkr.ecr.<region>.amazonaws.com/<repo>:<tag>

# Push fails on manifest
container image push <account>.dkr.ecr.<region>.amazonaws.com/<repo>:<tag>

### Problem description

Current behavior

Blob uploads succeed (100%), then the manifest PUT returns 401:

Error: HTTP request to https://.dkr.ecr..amazonaws.com/v2//manifests/ failed with response: 401 Unauthorized. Reason: invalidArgument: "missing Bearer challenge in WWW-Authenticate header"

### Expected behavior

Manifest pushes successfully after blobs, consistent with how pull works.

### Key observations

- `container image pull` from the same registry with the same credentials **succeeds**
- Blob uploads during push succeed (100%); only the final manifest PUT fails
- The error is consistent and reproducible
- This isolates the bug to the manifest PUT authentication path in `container image push`, not to credential storage or blob handling

### Environment

```markdown
- OS: macOS 26.5.1
- Container: CLI version 1.0.0 (build: release, commit: ee848e3) — signed installer from GitHub releases
- Registry: AWS ECR

Code of Conduct

• I agree to follow this project's Code of Conduct