diff --git a/.forgejo/workflows/docker-build.yml b/.forgejo/workflows/docker-build.yml
index 1b74a67..cff77b0 100644
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@@ -45,5 +45,7 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            composer_auth=${{ secrets.COMPOSER_AUTH }}
           cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
           cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
diff --git a/Dockerfile b/Dockerfile
index 6666e29..a02b149 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Build frontend assets
 FROM node:20-alpine AS node-builder
 WORKDIR /app
@@ -10,8 +12,9 @@ RUN npm run build
 FROM composer:2 AS composer-builder
 WORKDIR /app
 COPY composer.json composer.lock ./
-# Install without dev dependencies and without running scripts that need .env
-RUN composer install \
+# Mount auth.json as a secret so it never gets baked into the image
+RUN --mount=type=secret,id=composer_auth,dst=/root/.composer/auth.json \
+    composer install \
     --no-dev \
     --no-interaction \
     --no-plugins \