diff --git a/.forgejo/workflows/build-iso.yml b/.forgejo/workflows/build-iso.yml
index 55454ef..a244c4a 100644
--- a/.forgejo/workflows/build-iso.yml
+++ b/.forgejo/workflows/build-iso.yml
@@ -16,14 +16,12 @@ jobs:
   build-iso:
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    # Attach the job container to `forgejo-runner_default` so the
-    # `docker-in-docker` hostname (the DinD sidecar) is DNS-resolvable.
-    # Without this the job runs on its own per-job network and DOCKER_HOST
-    # resolves nowhere. catthehacker/ubuntu:act-latest already ships
-    # docker CLI, so we don't need to apt-install anything.
-    container:
-      image: catthehacker/ubuntu:act-latest
-      options: --network forgejo-runner_default
+    # DOCKER_HOST points the docker CLI at the DinD sidecar. The sidecar's
+    # hostname is DNS-resolvable because forgejo-runner is configured with
+    # `container.network: "forgejo-runner_default"`, which attaches every
+    # job container to the shared network where docker-in-docker lives.
+    # The default `ubuntu-latest` image (catthehacker/ubuntu:act-latest)
+    # already ships the docker CLI.
     env:
       DOCKER_HOST: tcp://docker-in-docker:2375
     steps: