diff --git a/.github/actions/setup-buildx/action.yml b/.github/actions/setup-buildx/action.yml
index e19a4d083..41210035f 100644
--- a/.github/actions/setup-buildx/action.yml
+++ b/.github/actions/setup-buildx/action.yml
@@ -21,6 +21,15 @@ inputs:
   name:
     description: Builder instance name
     default: openshell
+  buildkitd-config:
+    description: >
+      Path to a buildkitd.toml to configure the builder with (e.g. the
+      nv-gha-runners Docker Hub mirror at /etc/buildkit/buildkitd.toml).
+      Must be readable *from where this action runs* — in a containerized
+      job that means the caller must bind-mount the host path into the job
+      container (e.g. `volumes: [/etc/buildkit:/etc/buildkit:ro]`). Empty
+      disables the config (default).
+    default: ""
 
 runs:
   using: composite
@@ -36,6 +45,7 @@ runs:
         append: |
           - endpoint: ${{ inputs.arm64-endpoint }}
             platforms: linux/arm64
+        buildkitd-config: ${{ inputs.buildkitd-config }}
 
     - name: Set up Docker Buildx (local)
       if: inputs.driver == 'local'
@@ -44,8 +54,4 @@ runs:
         name: ${{ inputs.name }}
         driver: docker-container
         platforms: linux/amd64,linux/arm64
-        # Use the nv-gha-runners Docker Hub mirror to avoid unauthenticated
-        # pull rate limits on shared runners. The TOML is pre-populated on
-        # every nv-gha-runner. Per:
-        # https://docs.gha-runners.nvidia.com/platform/best-practices/#use-docker-cache-for-buildkit
-        buildkitd-config: /etc/buildkit/buildkitd.toml
+        buildkitd-config: ${{ inputs.buildkitd-config }}
diff --git a/.github/workflows/shadow-docker-build.yml b/.github/workflows/shadow-docker-build.yml
index 0cc26d72b..05dcc6889 100644
--- a/.github/workflows/shadow-docker-build.yml
+++ b/.github/workflows/shadow-docker-build.yml
@@ -45,6 +45,11 @@ jobs:
       options: --privileged
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock
+        # Expose the nv-gha-runners buildkitd.toml (registry-mirror config)
+        # inside the container so docker/setup-buildx-action can read it.
+        # The file is pre-populated on every nv-gha-runner per:
+        # https://docs.gha-runners.nvidia.com/platform/best-practices/#use-docker-cache-for-buildkit
+        - /etc/buildkit:/etc/buildkit:ro
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@v4
@@ -61,6 +66,10 @@ jobs:
         uses: ./.github/actions/setup-buildx
         with:
           driver: local
+          # Bind-mounted above via container.volumes; without that, the file
+          # is on the host but invisible to the action (which runs inside
+          # the ci:latest container).
+          buildkitd-config: /etc/buildkit/buildkitd.toml
 
       - name: Package Helm chart (cluster only)
         if: matrix.component == 'cluster'