diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 573e66ea..18924ce3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -59,6 +59,9 @@ build_mr:
     - *ecr_login
   script: |
     set -eu
+    # force base image pulls via AWS ECR Public to avoid Docker Hub TLS timeout
+    sed -i 's|^FROM golang:1.23-alpine AS builder$|FROM public.ecr.aws/docker/library/golang:1.23-alpine AS builder|' Dockerfile
+    sed -i 's|^FROM alpine:3.20$|FROM public.ecr.aws/docker/library/alpine:3.20|' Dockerfile
     echo "Build (MR) : $ECR_REPOSITORY:$IMAGE_TAG"
     docker build --platform "$TARGET_PLATFORM" -f Dockerfile -t "$ECR_REPOSITORY:$IMAGE_TAG" .
     echo "Pushing image for MR..."
@@ -82,6 +85,9 @@ build_push_dev:
     - *ecr_login
   script: |
     set -eu
+    # force base image pulls via AWS ECR Public to avoid Docker Hub TLS timeout
+    sed -i 's|^FROM golang:1.23-alpine AS builder$|FROM public.ecr.aws/docker/library/golang:1.23-alpine AS builder|' Dockerfile
+    sed -i 's|^FROM alpine:3.20$|FROM public.ecr.aws/docker/library/alpine:3.20|' Dockerfile
     echo "Build & push (dev): $ECR_REPOSITORY:$IMAGE_TAG"
     docker build --platform "$TARGET_PLATFORM" -f Dockerfile -t "$ECR_REPOSITORY:$IMAGE_TAG" .
     docker push "$ECR_REPOSITORY:$IMAGE_TAG"
@@ -138,6 +144,9 @@ build_push_prod:
     - *ecr_login
   script: |
     set -eu
+    # force base image pulls via AWS ECR Public to avoid Docker Hub TLS timeout
+    sed -i 's|^FROM golang:1.23-alpine AS builder$|FROM public.ecr.aws/docker/library/golang:1.23-alpine AS builder|' Dockerfile
+    sed -i 's|^FROM alpine:3.20$|FROM public.ecr.aws/docker/library/alpine:3.20|' Dockerfile
     echo "Build & push (prod): $ECR_REPOSITORY:$IMAGE_TAG"
     docker build --platform "$TARGET_PLATFORM" -f Dockerfile -t "$ECR_REPOSITORY:$IMAGE_TAG" .
     docker push "$ECR_REPOSITORY:$IMAGE_TAG"
diff --git a/Dockerfile b/Dockerfile
index 8529a2f0..e12cdca5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 # =========================
 # Builder stage
 # =========================
-FROM golang:1.23-alpine AS builder
+FROM public.ecr.aws/docker/library/golang:1.23-alpine AS builder
 
 RUN apk add --no-cache git ca-certificates tzdata
 WORKDIR /app
@@ -25,7 +25,7 @@ RUN GOBIN=/usr/local/bin go install -tags "postgres file" -ldflags="-s -w" githu
 # =========================
 # Runtime stage
 # =========================
-FROM alpine:3.20
+FROM public.ecr.aws/docker/library/alpine:3.20
 
 RUN apk add --no-cache ca-certificates tzdata curl bash postgresql-client \
   && adduser -D -H -u 10001 appuser