diff --git a/action.yml b/action.yml
index 23f7d09..e95c158 100644
--- a/action.yml
+++ b/action.yml
@@ -40,7 +40,10 @@ runs:
         OUR_IP="154.83.149.72"
 
         echo "::group::setup"
-        apk add --no-cache git jq bind-tools >/dev/null 2>&1 || true
+        # platform-ci-base bakes in git/jq/dig/rsync/bun — skip apk on the fast path,
+        # fall back to installing only if a tool is missing (e.g. stock docker:24 image).
+        command -v git >/dev/null 2>&1 && command -v jq >/dev/null 2>&1 && command -v dig >/dev/null 2>&1 \
+          || apk add --no-cache git jq bind-tools rsync >/dev/null 2>&1 || true
         REPO="$IN_REPO"; REF="$IN_REF"; SHA="${IN_SHA:-manual}"
         SLUG=$(printf '%s' "$REPO" | tr 'A-Z/' 'a-z-')
         FRAG="/srv/platform/caddy/sites/${SLUG}.caddy"
@@ -137,27 +140,22 @@ runs:
 
         case "$DT" in
           static)
-            echo "::group::build (bun)"
-            BH="build-${SLUG}-${SHA}"
-            docker rm -f "$BH" >/dev/null 2>&1 || true
-            trap 'docker rm -f "$BH" >/dev/null 2>&1 || true' EXIT
-            docker run -d --name "$BH" -w /app oven/bun:1-alpine sleep 1200 >/dev/null
-            docker cp /tmp/repo/. "$BH:/app/"
-            if docker exec -w /app "$BH" sh -c '[ -f bun.lock ] || [ -f bun.lockb ]'; then
-              docker exec -w /app "$BH" sh -c 'bun install --frozen-lockfile'
-            else
-              docker exec -w /app "$BH" sh -c 'bun install'
-            fi
-            docker exec -w /app "$BH" sh -c 'bun run build'
+            # build IN-PLACE — the job runs on platform-ci-base which has bun, so no
+            # throwaway helper + docker-cp round-trip. (Trade-off: the dev's build runs
+            # in the privileged job container; consistent with the Phase-6 socket-accepted
+            # model. Revert to the sandboxed helper if that matters more than ~3s.)
+            echo "::group::build (bun, in-place)"
+            cd /tmp/repo
+            if [ -f bun.lock ] || [ -f bun.lockb ]; then bun install --frozen-lockfile; else bun install; fi
+            bun run build
             echo "::endgroup::"
 
             echo "::group::publish static → /srv/sites/$DOMAIN"
+            [ -d "/tmp/repo/${BUILD_DIR}" ] || { echo "::error::build output '${BUILD_DIR}' not found"; exit 1; }
             TMP="/srv/sites/.tmp-${SLUG}-${SHA}"
             rm -rf "$TMP"; mkdir -p "$TMP"
-            docker cp "$BH:/app/${BUILD_DIR}/." "$TMP/" \
-              || { echo "::error::build output '${BUILD_DIR}' not found"; exit 1; }
+            cp -a "/tmp/repo/${BUILD_DIR}/." "$TMP/"
             rm -rf "/srv/sites/${DOMAIN}"; mv "$TMP" "/srv/sites/${DOMAIN}"
-            docker rm -f "$BH" >/dev/null 2>&1 || true; trap - EXIT
             echo "  $(find "/srv/sites/${DOMAIN}" -type f | wc -l) files published"
             echo "::endgroup::"