diff --git a/.forgejo/workflows/promote.yml b/.forgejo/workflows/promote.yml
index 2fae872..f7b861c 100644
--- a/.forgejo/workflows/promote.yml
+++ b/.forgejo/workflows/promote.yml
@@ -11,18 +11,24 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+    - name: Checkout code at tag
+      uses: actions/checkout@v4
+
     - name: Install kubectl
       run: |
         curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
         chmod +x kubectl
 
-    - name: Get image from tag
+    - name: Get image info
       id: image
       run: |
-        # Tag format: v0.2.1 or v0.2.1-rc1
-        # The staging pipeline already pushed the image with the commit SHA
-        # We retag with the version tag for traceability
+        # Use the commit SHA instead of "latest" to avoid a race condition:
+        # The tag event can fire before the staging build (deploy.yml) finishes
+        # pushing the new "latest" image. By referencing the exact SHA that
+        # deploy.yml tags images with (${{ github.sha }}), we ensure we
+        # promote the correct build — and wait for it if it's still running.
         echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+        echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
 
     - name: Login to Forgejo Registry
       uses: docker/login-action@v3
@@ -31,13 +37,28 @@ jobs:
         username: openclawd
         password: ${{ secrets.REGISTRY_TOKEN }}
 
-    - name: Retag image for production
+    - name: Wait for staging image and retag for production
       run: |
-        # Pull latest staging image and tag with version
-        docker pull --platform linux/arm64 git.cloonar.com/openclawd/docfast:latest
-        docker tag git.cloonar.com/openclawd/docfast:latest \
-          git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}
-        docker push git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}
+        SHA_IMAGE="git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.sha }}"
+        PROD_IMAGE="git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}"
+
+        # Wait for the SHA-tagged image (built by staging) to be available
+        for i in $(seq 1 20); do
+          echo "Attempt $i/20: pulling $SHA_IMAGE ..."
+          if docker pull --platform linux/arm64 "$SHA_IMAGE" 2>/dev/null; then
+            echo "✅ Image found!"
+            break
+          fi
+          if [ "$i" -eq 20 ]; then
+            echo "❌ Image not available after 10 minutes. Aborting."
+            exit 1
+          fi
+          echo "Image not ready yet, waiting 30s..."
+          sleep 30
+        done
+
+        docker tag "$SHA_IMAGE" "$PROD_IMAGE"
+        docker push "$PROD_IMAGE"
 
     - name: Deploy to Production
       run: |