diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index ffec051..4e427e5 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -34,24 +34,23 @@ jobs:
         with:
           install: true
 
-      - name: Build and push image with attestations
+      - name: Build and push image (with attestations)
         run: |
+          set -euo pipefail
+          IMAGE="${{ secrets.CI_REGISTRY_IMAGE }}"
           TAG="${{ inputs.version }}"
-          docker buildx build \
-            --push \
-            --platform linux/amd64 \
-            --tag ${{ secrets.CI_REGISTRY_IMAGE }}:$TAG \
-            --sbom=true \
-            --provenance=true \
-            --pull \
-            --no-cache \
-            .
-        
-      - name: Tag and push as latest (with attestations)
-        if: inputs.tag_latest == true
-        run: |
-          TAG="${{ inputs.version }}"
-          # Re-tag using buildx to maintain attestations
-          docker buildx imagetools create \
-            --tag ${{ secrets.CI_REGISTRY_IMAGE }}:latest \
-            ${{ secrets.CI_REGISTRY_IMAGE }}:$TAG
+
+          ARGS=(
+            --push
+            --platform linux/amd64
+            --tag "${IMAGE}:${TAG}"
+            --sbom=true
+            --provenance=true
+            --pull
+          )
+
+          if [[ "${{ inputs.tag_latest }}" == "true" ]]; then
+            ARGS+=( --tag "${IMAGE}:latest" )
+          fi
+
+          docker buildx build "${ARGS[@]}" .