diff --git a/linux/build/runner/config.yaml b/linux/build/runner/config.yaml
index f60b774..3fce76d 100644
--- a/linux/build/runner/config.yaml
+++ b/linux/build/runner/config.yaml
@@ -24,19 +24,25 @@ container:
   valid_volumes:
     - /cache
     - /var/run/docker.sock
-    - /root/.docker
+    - /root/.docker/config.json
   # `options` is applied on top of act_runner's default per-job-container
   # docker run args. /var/run/docker.sock is auto-mounted by act_runner
   # already; listing it here a second time triggers
   # "Duplicate mount point" on container create. So options carries ONLY
-  # the bind that act_runner doesn't know about: the host's
-  # docker-registry.silverlabs.uk credentials at /root/.docker, which
-  # catthehacker/ubuntu:act-latest reads from /root/.docker/config.json
-  # for `docker push`. Without it the push fails with "no basic auth
-  # credentials" even though `docker build` over the DooD socket works
-  # fine. /cache stays in valid_volumes (workflow-requestable) but
-  # doesn't need an unconditional mount.
-  options: -v /root/.docker:/root/.docker:ro
+  # what act_runner doesn't provide: the host's docker-registry.silverlabs.uk
+  # credentials, which catthehacker/ubuntu:act-latest's docker-cli reads
+  # from /root/.docker/config.json for `docker push`. Without it the push
+  # fails with "no basic auth credentials" even though `docker build`
+  # over the DooD socket works fine.
+  #
+  # We mount the FILE (not the directory) read-only:
+  # - ro is essential — config.json is the host's actual creds file.
+  # - file-only (not /root/.docker:ro) keeps /root/.docker writable on the
+  #   container's own overlay so buildx can write its activity tracking
+  #   to /root/.docker/buildx/. Mounting the whole dir :ro broke run #4267
+  #   with "failed to update builder last activity time: …read-only
+  #   file system".
+  options: -v /root/.docker/config.json:/root/.docker/config.json:ro
   # Cache the silvermetal-builder image locally after first pull. Bumping
   # the image digest in BUILDER_IMAGE invalidates and re-pulls automatically.
   force_pull: false