diff --git a/linux/build/runner/config.yaml b/linux/build/runner/config.yaml
index 4348a34..f60b774 100644
--- a/linux/build/runner/config.yaml
+++ b/linux/build/runner/config.yaml
@@ -15,10 +15,16 @@ runner:
 container:
   network: host
   privileged: true       # required: live-build needs loop devices + chroot
+  # `valid_volumes` is an allowlist of **source paths** (globs), not full
+  # bind specs. Listing "/root/.docker:/root/.docker:ro" here makes the
+  # runner silently drop the bind from container.options with
+  # "[/root/.docker] is not a valid volume, will be ignored" — because
+  # the literal pattern "/root/.docker:/root/.docker:ro" doesn't match
+  # the bind source "/root/.docker". Source paths only:
   valid_volumes:
-    - "/cache:/cache"
-    - "/var/run/docker.sock:/var/run/docker.sock"
-    - "/root/.docker:/root/.docker:ro"
+    - /cache
+    - /var/run/docker.sock
+    - /root/.docker
   # `options` is applied on top of act_runner's default per-job-container
   # docker run args. /var/run/docker.sock is auto-mounted by act_runner
   # already; listing it here a second time triggers