diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index ce7476c..a386a3b 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -80,35 +80,29 @@ jobs:
           chmod +x /usr/local/bin/cosign
           cosign version
 
-      - name: Install BlueBuild CLI
-        run: |
-          set -euxo pipefail
-          BB_VERSION="0.9.10"
-          BB_URL="https://github.com/blue-build/cli/releases/download/v${BB_VERSION}/bluebuild-x86_64-unknown-linux-gnu.tar.gz"
-          curl -fsSL "$BB_URL" -o /tmp/bb.tgz
-          tar -xzf /tmp/bb.tgz -C /usr/local/bin/
-          chmod +x /usr/local/bin/bluebuild
-          bluebuild --version
+      - name: Build OCI image with BlueBuild action
+        id: bluebuild
+        # Composite action — runs podman + buildah inside; works on
+        # Forgejo runner same as GH-hosted. Pinned to commit SHA per
+        # the v0.5 CI hardening pass.
+        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
+        with:
+          recipe: bluebuild/recipe.yml
+          # registry_token is consumed by the action to publish; for
+          # the Forgejo path we re-tag + push manually below, so this
+          # token only matters for the GH-mirror path.
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_event_number: ${{ github.event.number }}
+          maximize_build_space: false
 
-      - name: Build OCI image with BlueBuild
+      - name: Re-tag local OCI for Forgejo + GHCR
         run: |
           set -euxo pipefail
-          cd bluebuild
-          # bluebuild build:
-          #  --recipe-path => path to recipe.yml
-          #  --tag         => local tag, then we re-tag for registries
-          #  podman driver to avoid Docker socket coupling
-          bluebuild build \
-            --debug \
-            --build-driver podman \
-            --inspect-driver skopeo \
-            --signing-driver cosign \
-            recipe.yml
-          # bluebuild tags as `<image-name>:latest` locally. Confirm it
-          # lands and re-tag for both registries.
+          # The action emits the local image as `<recipe-name>:<tag>`.
+          # Confirm it landed, then add registry-prefixed tags.
           podman images
-          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}"
-          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest"
+          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}" || true
+          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest" || true
 
       - name: Push to Forgejo registry (primary)
         if: success() && github.event_name != 'pull_request' && github.server_url != 'https://github.com'