diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index 8308eb1..23af3af 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -95,6 +95,16 @@ jobs:
           chmod +x /usr/local/bin/cosign
           cosign version
 
+      - name: Pre-pull secureblue base image
+        run: |
+          set -euxo pipefail
+          # GHCR's manifest API rejects anonymous calls from skopeo
+          # ("Not authorized") for some public images — but `podman
+          # pull` handles the anonymous token dance correctly. Pre-pull
+          # the base into local podman storage so bluebuild's
+          # templating step finds it without a registry round-trip.
+          podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest
+
       - name: Build OCI image with BlueBuild CLI container
         id: bluebuild
         # blue-build/github-action requires docker buildx which podman
@@ -106,16 +116,20 @@ jobs:
           # Pull cli image; pinned to v0.9.x at action time.
           podman pull ghcr.io/blue-build/cli:latest
           # Mount the repo + podman socket; build with buildah driver.
+          # Bind host /var/lib/containers/storage into the bluebuild
+          # CLI container so buildah inside it can see the pre-pulled
+          # secureblue base layer (avoids GHCR auth round-trip during
+          # templating).
           podman run --rm \
             --privileged \
             --entrypoint /usr/bin/bluebuild \
             -v "$PWD:/work" \
+            -v /var/lib/containers/storage:/var/lib/containers/storage \
             -w /work \
             -e BB_BUILD_DRIVER=buildah \
             ghcr.io/blue-build/cli:latest \
             build \
               --build-driver buildah \
-              --inspect-driver skopeo \
               bluebuild/recipe.yml
           # bluebuild CLI tags as <recipe-name>:<tag> in local podman
           # storage. List + verify, then re-tag for the registries.