diff --git a/.forgejo/workflows/self-deploy.yml b/.forgejo/workflows/self-deploy.yml
index 9fcce9e5d..613a00708 100644
--- a/.forgejo/workflows/self-deploy.yml
+++ b/.forgejo/workflows/self-deploy.yml
@@ -96,16 +96,25 @@ jobs:
             "${SF_REGISTRY:-registry.infra.centralcloud.com}" \
             --username "$SF_REGISTRY_USER" --password-stdin
 
-      - name: Build server image with Nix
+      # The pure-Nix sf-server-image build (`nix build .#sf-server-image`)
+      # OOMKills the runner pod even at 16Gi+ — node2nix fans out into
+      # thousands of small per-package derivations whose concurrent
+      # working set exceeds reasonable limits. Falling back to plain
+      # `docker build` via the host docker daemon (mounted via
+      # /var/run/docker.sock from vega). The Dockerfile multi-stage build
+      # runs npm ci + next build inside a single container, which is
+      # bounded and works on the existing 6Gi runner.
+      - name: Build server image
         run: |
           set -euo pipefail
-          image_stream="$(nix build --no-link --print-out-paths .#sf-server-image)"
-          loaded_image="$("$image_stream" | docker load | awk -F': ' '/Loaded image:/ { print $2 }')"
-          if [ -z "$loaded_image" ]; then
-            echo "docker load did not report a loaded image" >&2
-            exit 1
-          fi
-          docker tag "$loaded_image" "${{ steps.image.outputs.image }}"
+          docker build \
+            -f docker/Dockerfile.sf-server \
+            --build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
+            --build-arg "SF_GIT_REF=${GITHUB_REF_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \
+            --build-arg "SF_RELEASE_IMAGE=${{ steps.image.outputs.image }}" \
+            --build-arg "SF_IMAGE_REPOSITORY=${SF_IMAGE_REPOSITORY:-${SF_REGISTRY:-registry.infra.centralcloud.com}/singularity/sf-server}" \
+            -t "${{ steps.image.outputs.image }}" \
+            .
 
       - name: Push server image
         if: env.SF_PUSH_IMAGE != '0'