diff --git a/linux/build/scripts/build.sh b/linux/build/scripts/build.sh
index 32a5f0f..db46cc1 100755
--- a/linux/build/scripts/build.sh
+++ b/linux/build/scripts/build.sh
@@ -99,8 +99,25 @@ echo "build.sh: output -> ${BUILD_DIR}"
 # job container, which inherits its /workspace mount intact. That keeps
 # paths identical inside and outside, so the inner heredoc below is the
 # same in both environments.
+#
+# Discovering the job container's own ID: `hostname` is unreliable on
+# act_runner / catthehacker (returned the literal string "docker" once
+# the runner was running with config.yaml's `network: host` applied —
+# see run #4268). /proc/self/cgroup is the portable way:
+#   * cgroup v1: lines look like `12:devices:/docker/<64-hex>`
+#   * cgroup v2: `0::/system.slice/docker-<64-hex>.scope`
+# Either way the 64-char hex container ID is in the path. Extract the
+# first one.
 if [[ -n "${GITHUB_ACTIONS:-}" ]]; then
-    BIND_ARGS=(--volumes-from "$(hostname)")
+    SELF_CID="$(awk 'match($0, /[a-f0-9]{64}/) { print substr($0, RSTART, RLENGTH); exit }' /proc/self/cgroup 2>/dev/null || true)"
+    if [[ -z "${SELF_CID}" ]]; then
+        echo "build.sh: could not determine own container ID from /proc/self/cgroup" >&2
+        echo "build.sh: cgroup contents:" >&2
+        cat /proc/self/cgroup >&2 || true
+        exit 1
+    fi
+    echo "build.sh: --volumes-from ${SELF_CID:0:12}"
+    BIND_ARGS=(--volumes-from "${SELF_CID}")
 else
     BIND_ARGS=(-v "${REPO_ROOT}:${REPO_ROOT}:rw")
     # If BUILD_DIR lives outside REPO_ROOT (uncommon, but the env-var