Alright folks, I think I've figured this out.
the gcp deploy service runs as service-<project num>@serverless-robot-prod.iam.gserviceaccount.com
The service itself runs as <project num>-
compute@developer.gserviceaccount.com
So, to authorize deploy, you can attach the registry reader role to the service- and to lock down permissions on the service itself you can create a new restricted service account. No catch 22 or circular dependency.