diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index 1981872b..d263a20c 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -68,7 +68,7 @@ jobs:
         # actions/checkout@v4 fails before tests can start.
         run: |
           if command -v apk >/dev/null 2>&1; then
-            apk add --no-cache nodejs npm git curl bash openssh-client docker-cli
+            apk add --no-cache nodejs npm git curl bash openssh-client docker-cli docker-cli-buildx
           fi
 
       - uses: actions/checkout@v4
@@ -272,7 +272,7 @@ jobs:
         # actions/checkout@v4 and Telegram failure notifications run.
         run: |
           if command -v apk >/dev/null 2>&1; then
-            apk add --no-cache nodejs npm git curl bash openssh-client docker-cli
+            apk add --no-cache nodejs npm git curl bash openssh-client docker-cli docker-cli-buildx
           fi
 
       - uses: actions/checkout@v4
@@ -341,11 +341,11 @@ jobs:
       # ── API 鏡像建置（含 Layer Cache 加速）──────────────────────────────
       # 2026-04-01 ogt: CACHE_BUST=git_sha 確保 src/ 和 models.json 層每次重建
       # deps 層 (pip install) 仍可 cache → 加速；代碼/配置層強制失效
-      # 2026-05-05 Codex: host runner docker-cli lacks buildx; keep BuildKit
-      # disabled until buildx is installed on the persistent runner image.
+      # 2026-05-05 Codex: host runner bootstrap installs docker-cli-buildx;
+      # keep BuildKit enabled because the web Dockerfile uses RUN --mount.
       - name: Build and Push API
         env:
-          DOCKER_BUILDKIT: "0"
+          DOCKER_BUILDKIT: "1"
         run: |
           docker build -f apps/api/Dockerfile \
             --build-arg BUILDKIT_INLINE_CACHE=1 \
@@ -364,10 +364,10 @@ jobs:
       # 2026-04-01 Claude Code: CACHE_BUST=git_sha 取代 --no-cache
       # - deps 層 (pnpm install) 仍可 cache → 節省 ~2-3 min
       # - COPY . . 以下由 CACHE_BUST 強制失效 → 業務邏輯/CSRF 等變更正確進入 bundle
-      # 2026-05-05 Codex: mirror API build mode; host runner docker-cli lacks buildx.
+      # 2026-05-05 Codex: mirror API build mode; BuildKit required for cache mounts.
       - name: Build and Push Web
         env:
-          DOCKER_BUILDKIT: "0"
+          DOCKER_BUILDKIT: "1"
         run: |
           docker build -f apps/web/Dockerfile \
             --build-arg NEXT_PUBLIC_API_URL=https://awoooi.wooo.work \
@@ -832,7 +832,7 @@ jobs:
         # notifications, so it needs the same runner bootstrap as earlier jobs.
         run: |
           if command -v apk >/dev/null 2>&1; then
-            apk add --no-cache nodejs npm git curl bash openssh-client docker-cli
+            apk add --no-cache nodejs npm git curl bash openssh-client docker-cli docker-cli-buildx
           fi
 
       - uses: actions/checkout@v4