diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
index 5ef4f96..18045c0 100644
--- a/.github/actions/build/action.yml
+++ b/.github/actions/build/action.yml
@@ -88,58 +88,3 @@ runs:
       with:
         name: dashboard-${{ inputs.platform }}-${{ inputs.environment }}
         path: dashboard/.next
-
-    - name: Docker login (GHCR)
-      if: inputs.environment == 'prod'
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Generate Auto Tags
-      if: inputs.environment == 'prod'
-      id: meta
-      uses: ../auto-tag
-      with:
-        image: ghcr.io/${{ github.repository_owner }}/${{ inputs.service }}
-
-    - name: Build and (optionally) push images
-      if: inputs.environment == 'prod'
-      id: build-image
-      uses: docker/build-push-action@v6
-      with:
-        context: ${{ inputs.service == 'dashboard' && 'dashboard' || inputs.service }}
-        file: ${{ inputs.service == 'dashboard' && 'dashboard/Dockerfile' || format('{0}/Dockerfile', inputs.service) }}
-        platforms: ${{ steps.matrix.outputs.target_platforms }}
-        push: true
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-
-    - name: Generate SBOM
-      if: inputs.environment == 'prod'
-      uses: anchore/sbom-action@v0
-      with:
-        image: ghcr.io/${{ github.repository_owner }}/${{ inputs.service }}@${{ steps.build-image.outputs.digest }}
-        output-file: sbom-${{ inputs.service }}.spdx.json
-
-    - name: Upload SBOM artifact
-      if: inputs.environment == 'prod'
-      uses: actions/upload-artifact@v4
-      with:
-        name: sbom-${{ inputs.service }}
-        path: sbom-${{ inputs.service }}.spdx.json
-
-    - name: Install Cosign
-      if: inputs.environment == 'prod'
-      uses: sigstore/cosign-installer@v3
-      with:
-        cosign-release: 'v2.4.1'
-
-    - name: Cosign image
-      if: inputs.environment == 'prod'
-      env:
-        COSIGN_EXPERIMENTAL: "true"
-      run: |
-        IMG=ghcr.io/${{ github.repository_owner }}/${{ inputs.service }}@${{ steps.build-image.outputs.digest }}
-        cosign sign --yes "$IMG"
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index 4641300..febae88 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -55,6 +55,23 @@ jobs:
           service: ${{ matrix.service }}
           platform: ${{ matrix.platform }}
 
+      - name: Build Base Images
+        id: base
+        uses: ./.github/actions/build-base-images/
+        secrets: inherit
+        with:
+          push_images: false     # CI 阶段不 push，只 build 并生成 digest
+
+      - name: Build Service Images
+        uses: ./.github/actions/build-service-images/
+        secrets: inherit
+        with:
+          push_images: false
+          node_builder_digest: ${{ steps.base.outputs.node_builder_digest }}
+          node_runtime_digest: ${{ steps.base.outputs.node_runtime_digest }}
+          postgres_runtime_digest: ${{ steps.base.outputs.postgres_runtime_digest }}
+          openresty_geoip_digest: ${{ steps.base.outputs.openresty_geoip_digest }}
+
   # -------------------------------------------------------------
   # CI STAGE 3 — Test
   # -------------------------------------------------------------