diff --git a/linux/build/runner/config.yaml b/linux/build/runner/config.yaml
index 08e0d2e..4348a34 100644
--- a/linux/build/runner/config.yaml
+++ b/linux/build/runner/config.yaml
@@ -19,18 +19,18 @@ container:
     - "/cache:/cache"
     - "/var/run/docker.sock:/var/run/docker.sock"
     - "/root/.docker:/root/.docker:ro"
-  options: >-
-    -v /cache:/cache
-    -v /var/run/docker.sock:/var/run/docker.sock
-    -v /root/.docker:/root/.docker:ro
-  # The /root/.docker mount carries the host's docker-registry.silverlabs.uk
-  # credentials into the job container, so `docker push` from the
-  # builder-image job in build-iso-linux.yaml works without an explicit
-  # `docker login` step. catthehacker/ubuntu:act-latest runs as root, so
-  # /root/.docker/config.json is what its docker-cli reads. Without this,
-  # the push fails with "no basic auth credentials" — even though docker
-  # build itself works fine over the DooD socket.
-  #
+  # `options` is applied on top of act_runner's default per-job-container
+  # docker run args. /var/run/docker.sock is auto-mounted by act_runner
+  # already; listing it here a second time triggers
+  # "Duplicate mount point" on container create. So options carries ONLY
+  # the bind that act_runner doesn't know about: the host's
+  # docker-registry.silverlabs.uk credentials at /root/.docker, which
+  # catthehacker/ubuntu:act-latest reads from /root/.docker/config.json
+  # for `docker push`. Without it the push fails with "no basic auth
+  # credentials" even though `docker build` over the DooD socket works
+  # fine. /cache stays in valid_volumes (workflow-requestable) but
+  # doesn't need an unconditional mount.
+  options: -v /root/.docker:/root/.docker:ro
   # Cache the silvermetal-builder image locally after first pull. Bumping
   # the image digest in BUILDER_IMAGE invalidates and re-pulls automatically.
   force_pull: false