diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 6e3aff5..5b84e09 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -56,19 +56,16 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'push'
     container:
-      image: gitea.siegeln.net/cameleer/cameleer-build:1
+      image: gitea.siegeln.net/cameleer/cameleer-docker-builder:1
       credentials:
         username: cameleer
         password: ${{ secrets.REGISTRY_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Cache Maven dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-maven-
+      - name: Checkout
+        run: |
+          git clone --depth=1 --branch=${GITHUB_REF_NAME} https://cameleer:${REGISTRY_TOKEN}@gitea.siegeln.net/${GITHUB_REPOSITORY}.git .
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Login to registry
         run: echo "$REGISTRY_TOKEN" | docker login gitea.siegeln.net -u cameleer --password-stdin
@@ -92,42 +89,25 @@ jobs:
             echo "IMAGE_TAGS=branch-$SLUG" >> "$GITHUB_ENV"
           fi
 
-      - name: Build SaaS frontend
-        run: |
-          cd ui
-          echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc
-          npm ci
-          npm run build
-          cp -r dist/ ../src/main/resources/static/
-        env:
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Build SaaS JAR
-        run: mvn package -DskipTests -B
-
-      - name: Build sign-in UI
-        run: |
-          cd ui/sign-in
-          echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc
-          npm ci
-          npm run build
-        env:
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Set up Docker buildx
-        run: |
-          docker buildx create --use --name cibuilder 2>/dev/null || true
+      - name: Set up QEMU for cross-platform builds
+        run: docker run --rm --privileged gitea.siegeln.net/cameleer/binfmt:1 --install all
 
       - name: Build and push SaaS image
         run: |
+          docker buildx create --use --name cibuilder
           TAGS="-t gitea.siegeln.net/cameleer/cameleer-saas:${{ github.sha }}"
           for TAG in $IMAGE_TAGS; do
             TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-saas:$TAG"
           done
           docker buildx build --platform linux/amd64 \
+            --build-arg REGISTRY_TOKEN="$REGISTRY_TOKEN" \
             $TAGS \
+            --cache-from type=registry,ref=gitea.siegeln.net/cameleer/cameleer-saas:buildcache \
+            --cache-to type=registry,ref=gitea.siegeln.net/cameleer/cameleer-saas:buildcache,mode=max \
             --provenance=false \
             --push .
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push Logto image
         run: |
@@ -136,7 +116,12 @@ jobs:
             TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-logto:$TAG"
           done
           docker buildx build --platform linux/amd64 \
+            --build-arg REGISTRY_TOKEN="$REGISTRY_TOKEN" \
             -f ui/sign-in/Dockerfile \
             $TAGS \
+            --cache-from type=registry,ref=gitea.siegeln.net/cameleer/cameleer-logto:buildcache \
+            --cache-to type=registry,ref=gitea.siegeln.net/cameleer/cameleer-logto:buildcache,mode=max \
             --provenance=false \
             --push ui/sign-in/
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
index 6e0b774..64008a6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,30 @@
+# syntax=docker/dockerfile:1
+
+# Frontend: runs natively on build host
+FROM --platform=$BUILDPLATFORM node:22-alpine AS frontend
+ARG REGISTRY_TOKEN
+WORKDIR /ui
+COPY ui/package.json ui/package-lock.json ui/.npmrc ./
+RUN echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci
+COPY ui/ .
+RUN npm run build
+
+# Maven build: runs natively on build host (no QEMU emulation)
+FROM --platform=$BUILDPLATFORM eclipse-temurin:21-jdk-alpine AS build
+WORKDIR /build
+COPY .mvn/ .mvn/
+COPY mvnw pom.xml ./
+# Cache deps — only re-downloaded when POM changes
+RUN ./mvnw dependency:go-offline -B || true
+COPY src/ src/
+COPY --from=frontend /ui/dist/ src/main/resources/static/
+RUN ./mvnw package -DskipTests -B
+
+# Runtime: target platform (amd64)
 FROM eclipse-temurin:21-jre-alpine
 WORKDIR /app
 RUN addgroup -S cameleer && adduser -S cameleer -G cameleer
-COPY target/*.jar app.jar
+COPY --from=build /build/target/*.jar app.jar
 USER cameleer
 EXPOSE 8080
 ENTRYPOINT ["java", "-jar", "app.jar"]
diff --git a/ui/sign-in/Dockerfile b/ui/sign-in/Dockerfile
index e249a99..442616a 100644
--- a/ui/sign-in/Dockerfile
+++ b/ui/sign-in/Dockerfile
@@ -1,2 +1,10 @@
+FROM --platform=$BUILDPLATFORM node:22-alpine AS build
+ARG REGISTRY_TOKEN
+WORKDIR /ui
+COPY package.json package-lock.json .npmrc ./
+RUN echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci
+COPY . .
+RUN npm run build
+
 FROM ghcr.io/logto-io/logto:latest
-COPY dist/ /etc/logto/packages/experience/dist/
+COPY --from=build /ui/dist/ /etc/logto/packages/experience/dist/