diff --git a/.gitea/workflows/build-image.yaml b/.gitea/workflows/build-image.yaml
index b777c4f..7341712 100644
--- a/.gitea/workflows/build-image.yaml
+++ b/.gitea/workflows/build-image.yaml
@@ -16,29 +16,14 @@ on:
 
 jobs:
   build:
+    # Runs in our custom ubuntu-act-runner image (Node 20 + Docker CLI + git)
+    # Docker daemon is the DinD sidecar via DOCKER_HOST=tcp://localhost:2376
     runs-on: ubuntu-latest
 
     steps:
       - name: 🔎 Checkout
         uses: actions/checkout@v4
 
-      - name: 🐳 Install Docker CLI
-        run: |
-          apt-get update && apt-get install -y --no-install-recommends \
-            ca-certificates \
-            curl \
-            gnupg
-          install -m 0755 -d /etc/apt/keyrings
-          curl -fsSL https://download.docker.com/linux/debian/gpg \
-            -o /etc/apt/keyrings/docker.asc
-          chmod a+r /etc/apt/keyrings/docker.asc
-          echo "deb [arch=$(dpkg --print-architecture) \
-            signed-by=/etc/apt/keyrings/docker.asc] \
-            https://download.docker.com/linux/debian \
-            $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
-            > /etc/apt/sources.list.d/docker.list
-          apt-get update && apt-get install -y --no-install-recommends docker-ce-cli
-
       - name: 🏷️ Set Image Tags
         id: tags
         run: |
@@ -78,11 +63,9 @@ jobs:
           docker push ${{ steps.tags.outputs.tag_sha }}
 
       - name: 📨 Telegram Notification
+        if: always()
         run: |
-          STATUS="${{ job.status }}"
-          TEXT="🐳 Build: ansible-act-runner:${{ steps.tags.outputs.short_sha }}%0AStatus: ${STATUS}"
           curl -s -X POST \
             "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" \
             -d "chat_id=${{ secrets.TELEGRAM_CHAT_ID }}" \
-            -d "text=${TEXT}"
-        if: always()
+            -d "text=🐳 Build ansible-act-runner:${{ steps.tags.outputs.short_sha }} — ${{ job.status }}"
diff --git a/.gitea/workflows/build-ubuntu-latest.yaml b/.gitea/workflows/build-ubuntu-latest.yaml
new file mode 100644
index 0000000..ffe1714
--- /dev/null
+++ b/.gitea/workflows/build-ubuntu-latest.yaml
@@ -0,0 +1,65 @@
+name: 🐳 Build ubuntu-latest Runner Image
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'docker-ubuntu-latest/Dockerfile'
+  workflow_dispatch:
+
+jobs:
+  build:
+    # Bootstraps itself — runs on docker:host (no container spawned)
+    # Docker CLI available via tools volume from initContainer
+    runs-on: docker
+
+    steps:
+      - name: 🔎 Checkout
+        run: |
+          git clone \
+            --depth 1 \
+            --branch "${{ gitea.ref_name }}" \
+            "http://${{ secrets.REGISTRY_USER }}:${{ secrets.REGISTRY_PASSWORD }}@gitea.mod.home/ansible/ansible-runner.git" \
+            .
+
+      - name: 🏷️ Set Image Tags
+        id: tags
+        run: |
+          REGISTRY="gitea.mod.home"
+          ORG="${{ gitea.repository_owner }}"
+          IMAGE="ubuntu-act-runner"
+          SHORT_SHA="${{ gitea.sha }}"
+          SHORT_SHA="${SHORT_SHA:0:8}"
+
+          echo "tag_latest=${REGISTRY}/${ORG}/${IMAGE}:latest" >> $GITHUB_OUTPUT
+          echo "tag_sha=${REGISTRY}/${ORG}/${IMAGE}:${SHORT_SHA}" >> $GITHUB_OUTPUT
+          echo "short_sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
+
+      - name: 🐳 Docker Login → Gitea Registry
+        run: |
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | \
+            docker login gitea.mod.home \
+              --username "${{ secrets.REGISTRY_USER }}" \
+              --password-stdin
+
+      - name: 🐳 Build Image
+        run: |
+          docker build \
+            -t ${{ steps.tags.outputs.tag_latest }} \
+            -t ${{ steps.tags.outputs.tag_sha }} \
+            -f docker-ubuntu-latest/Dockerfile \
+            docker-ubuntu-latest/
+
+      - name: 🐳 Push Image
+        run: |
+          docker push ${{ steps.tags.outputs.tag_latest }}
+          docker push ${{ steps.tags.outputs.tag_sha }}
+
+      - name: 📨 Telegram Notification
+        if: always()
+        run: |
+          curl -s -X POST \
+            "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" \
+            -d "chat_id=${{ secrets.TELEGRAM_CHAT_ID }}" \
+            -d "text=🐳 Build ubuntu-act-runner:${{ steps.tags.outputs.short_sha }} — ${{ job.status }}"
diff --git a/docker-ubuntu-latest/Dockerfile b/docker-ubuntu-latest/Dockerfile
new file mode 100644
index 0000000..f2bbeae
--- /dev/null
+++ b/docker-ubuntu-latest/Dockerfile
@@ -0,0 +1,39 @@
+FROM ubuntu:22.04
+
+LABEL maintainer="homelab"
+LABEL description="ubuntu-latest runner image — Node 20 + Docker CLI + git"
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV NODE_VERSION=20
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    wget \
+    git \
+    ca-certificates \
+    gnupg \
+    unzip \
+    jq \
+    openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Node.js 20 LTS
+RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+# Docker CLI only (no daemon)
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
+      -o /etc/apt/keyrings/docker.asc \
+    && chmod a+r /etc/apt/keyrings/docker.asc \
+    && echo "deb [arch=$(dpkg --print-architecture) \
+      signed-by=/etc/apt/keyrings/docker.asc] \
+      https://download.docker.com/linux/ubuntu \
+      $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
+      > /etc/apt/sources.list.d/docker.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends docker-ce-cli \
+    && rm -rf /var/lib/apt/lists/*
+
+# Smoke tests
+RUN node --version && docker --version && git --version