diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml
index 55aaf6b..7345440 100644
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@@ -106,6 +106,11 @@ jobs:
           cosign version
           jq --version
 
+      # Build with buildah + vfs + chroot isolation. This combo avoids:
+      #   - user namespaces (which need newuidmap and aren't always allowed)
+      #   - overlay mounts (which need mount propagation)
+      #   - clone() with CLONE_NEW* flags (which seccomp may block)
+      # Run with sudo so we already have full caps and don't need to unshare.
       - name: Build image
         id: build
         shell: bash
@@ -113,11 +118,16 @@ jobs:
           IMAGE_REF: ${{ steps.tags.outputs.image_ref }}
           DATE_TAG: ${{ steps.tags.outputs.date_tag }}
           SHA_TAG:  ${{ steps.tags.outputs.sha_tag }}
+          BUILDAH_ISOLATION: chroot
+          STORAGE_DRIVER: vfs
         run: |
           set -euxo pipefail
-          podman build \
+          sudo BUILDAH_ISOLATION=chroot STORAGE_DRIVER=vfs buildah \
+            --storage-driver=vfs \
+            bud \
+            --isolation=chroot \
             --platform=${{ matrix.platform }} \
-            --pull=newer \
+            --pull-always \
             --tag "${IMAGE_REF}:${DATE_TAG}" \
             --tag "${IMAGE_REF}:${SHA_TAG}" \
             $(for t in $IMAGE_TAGS; do echo --tag "${IMAGE_REF}:${t}"; done) \
@@ -127,7 +137,7 @@ jobs:
         if: github.event_name != 'pull_request'
         shell: bash
         run: |
-          echo "${REGISTRY_TOKEN}" | podman login \
+          echo "${REGISTRY_TOKEN}" | sudo buildah --storage-driver=vfs login \
             --username "${REGISTRY_USER}" \
             --password-stdin \
             "${REGISTRY}"
@@ -142,7 +152,7 @@ jobs:
         run: |
           set -euxo pipefail
           for tag in $DATE_TAG $SHA_TAG $IMAGE_TAGS; do
-            podman push "${IMAGE_REF}:${tag}"
+            sudo buildah --storage-driver=vfs push "${IMAGE_REF}:${tag}"
           done
 
       - name: Sign image with cosign
@@ -155,7 +165,11 @@ jobs:
         run: |
           set -euxo pipefail
           for tag in $IMAGE_TAGS; do
-            DIGEST=$(skopeo inspect --format '{{.Digest}}' "docker://${IMAGE_REF}:${tag}")
+            # skopeo inspect against private registry needs creds
+            DIGEST=$(skopeo inspect \
+              --creds "${REGISTRY_USER}:${REGISTRY_TOKEN}" \
+              --format '{{.Digest}}' \
+              "docker://${IMAGE_REF}:${tag}")
             cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_REF}@${DIGEST}"
           done