diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f5f1662de..dfe76fd2f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,9 +23,15 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Build base image
+      if: github.event_name == 'push'
       run: make -C scripts/docker build VARIANT=base TAG=$IMAGE_TAG
+    - name: Retrieve base image
+      if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
+      run: |
+        docker pull ghcr.io/easycrypt/ec-base-box:main
+        docker tag ghcr.io/easycrypt/ec-base-box:main ghcr.io/easycrypt/ec-base-box:$IMAGE_TAG
     - name: Build build image
-      run: make -C scripts/docker build VARIANT=build TAG=$IMAGE_TAG
+      run: make -C scripts/docker build VARIANT=build TAG=$IMAGE_TAG BARGS='--build-arg BASE_LAYER=ghcr.io/easycrypt/ec-base-box:${IMAGE_TAG}'
     - name: Save images for downstream jobs
       run: |
         docker save "ghcr.io/easycrypt/ec-base-box:$IMAGE_TAG" | gzip > base-image.tar.gz
@@ -228,12 +234,7 @@ jobs:
   publish:
     name: Publish Docker images
     if: |
-      github.event_name == 'push' && (
-        github.ref == 'refs/heads/main' ||
-        github.ref == 'refs/heads/release' ||
-        github.ref == 'refs/heads/latest' ||
-        startsWith(github.ref, 'refs/tags/r')
-      )
+      github.event_name == 'push'
     needs: [compile-opam, compile-nix, check, external, external-status, docker]
     runs-on: ubuntu-24.04
     permissions:
@@ -266,8 +267,7 @@ jobs:
         github.ref == 'refs/heads/latest' ||
         github.ref_type == 'tag'
       run: |
-        make -C scripts/docker build VARIANT=test TAG=${{ github.ref_name }}
-        make -C scripts/docker publish VARIANT=test TAG=${{ github.ref_name }}
+        make -C scripts/docker build publish VARIANT=test TAG=${{ github.ref_name }} BARGS='--build-arg BUILD_LAYER=ghcr.io/easycrypt/ec-build-box:${{ github.ref_name }}'
 
   # ── Notification ──