diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index a6c2b85..12fdb77 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -146,12 +146,31 @@ jobs:
           GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$AUR_KNOWN_HOSTS -i $AUR_KEY_PATH" \
             git clone ssh://aur@aur.archlinux.org/unitdore.git aur-repo
 
-          # Compute SHA256 of the release tarball (same URL the PKGBUILD will download)
+          CURRENT_PKGVER=$(awk -F= '/^pkgver=/ {print $2; exit}' aur-repo/PKGBUILD | tr -d "[:space:]")
+          CURRENT_PKGREL=$(awk -F= '/^pkgrel=/ {print $2; exit}' aur-repo/PKGBUILD | tr -d "[:space:]")
+
+          if [ "$CURRENT_PKGVER" = "$PKGVER" ]; then
+            case "$CURRENT_PKGREL" in
+              ''|*[!0-9]*)
+                echo "Unsupported pkgrel in AUR repo: ${CURRENT_PKGREL}"
+                exit 1
+                ;;
+              *)
+                PKGREL=$((CURRENT_PKGREL + 1))
+                ;;
+            esac
+          else
+            PKGREL=1
+          fi
+
+          echo "Publishing AUR package version ${PKGVER}-${PKGREL}"
+
+          # Compute SHA256 of the source archive from the same URL the PKGBUILD will download.
           SHA=$(curl -fsSL "https://git.warky.dev/wdevs/unitdore/archive/v${PKGVER}.zip" | sha256sum | cut -d' ' -f1)
 
-          # Update PKGBUILD — keep remote source URL, only bump version and checksum
+          # Update PKGBUILD — keep remote source URL, bump version/checksum, and increment pkgrel for same-version rebuilds.
           sed -e "s/^pkgver=.*/pkgver=${PKGVER}/" \
-              -e "s/^pkgrel=.*/pkgrel=1/" \
+              -e "s/^pkgrel=.*/pkgrel=${PKGREL}/" \
               -e "s/^sha256sums=.*/sha256sums=('${SHA}')/" \
               pkg/arch/PKGBUILD > aur-repo/PKGBUILD
 
@@ -172,7 +191,7 @@ jobs:
           git config user.email "hein@warky.dev"
           git config user.name "Hein"
           git add PKGBUILD .SRCINFO
-          git commit -m "Update to v${PKGVER}"
+          git commit -m "Update to v${PKGVER}-${PKGREL}"
           GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$AUR_KNOWN_HOSTS -i $AUR_KEY_PATH" \
             git push origin HEAD:master
 
@@ -243,8 +262,16 @@ jobs:
 
       - name: Build RPM
         run: |
+          set -euo pipefail
+
           VERSION="${{ github.event.inputs.tag || github.ref_name }}"
           PKGVER="${VERSION#v}"
+          GO_VER="$(awk '/^go / { print $2; exit }' go.mod)"
+
+          if [ -z "${GO_VER}" ]; then
+            echo "Failed to determine Go version from go.mod"
+            exit 1
+          fi
 
           # Source tarball — prefix=unitdore-VERSION/ matches RPM %autosetup convention
           git archive --format=tar.gz --prefix=unitdore-${PKGVER}/ HEAD \
@@ -254,23 +281,37 @@ jobs:
           sed -i "s/^Version:.*/Version:        ${PKGVER}/" pkg/centos/unitdore.spec
 
           mkdir -p pkg/centos/out
-          docker run --rm \
-            -v "$PWD:/workspace" \
-            -v "$PWD/pkg/centos/out:/out" \
-            -w /workspace \
+          CID=$(docker create \
+            -e GO_VER="${GO_VER}" \
+            -e PKGVER="${PKGVER}" \
+            -w /build \
             rockylinux:9 \
-            bash -c "
+            bash -lc "
+              set -euo pipefail
               # Rocky 9 images already ship curl-minimal, which is enough for the Go tarball download.
               dnf install -y rpm-build git &&
-              GO_VER=\$(grep '^go ' /workspace/go.mod | awk '{print \$2}') &&
               curl -fsSL https://go.dev/dl/go\${GO_VER}.linux-amd64.tar.gz | tar -C /usr/local -xz &&
               export PATH=\$PATH:/usr/local/go/bin &&
               mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} &&
               cp unitdore-${PKGVER}.tar.gz ~/rpmbuild/SOURCES/ &&
               cp pkg/centos/unitdore.spec ~/rpmbuild/SPECS/ &&
-              rpmbuild --nodeps -ba ~/rpmbuild/SPECS/unitdore.spec &&
-              find ~/rpmbuild/RPMS -name '*.rpm' -exec cp {} /out/ \;
-            "
+              rpmbuild --nodeps -ba ~/rpmbuild/SPECS/unitdore.spec
+            ")
+
+          cleanup() {
+            docker rm -f "$CID" >/dev/null 2>&1 || true
+          }
+          trap cleanup EXIT
+
+          # Avoid bind mounts here because DinD runners may not expose the checkout path to the Docker daemon.
+          docker cp unitdore-${PKGVER}.tar.gz "$CID:/build/unitdore-${PKGVER}.tar.gz"
+          docker cp pkg "$CID:/build/pkg"
+
+          docker start -a "$CID"
+          docker cp "$CID:/root/rpmbuild/RPMS/." pkg/centos/out/
+
+          trap - EXIT
+          cleanup
 
       - name: Upload to release
         run: |
diff --git a/pkg/arch/PKGBUILD b/pkg/arch/PKGBUILD
index 052db2d..eb80f08 100644
--- a/pkg/arch/PKGBUILD
+++ b/pkg/arch/PKGBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Hein (Warky Devs) <hein@warky.dev>
 pkgname=unitdore
-pkgver=0.1.0
+pkgver=0.0.4
 pkgrel=1
 pkgdesc="A door you open and close for container units — manage containers via systemd"
 arch=('x86_64' 'aarch64')
@@ -12,12 +12,11 @@ optdepends=(
     'docker: Docker container runtime support'
 )
 makedepends=('go')
-backup=('etc/unitdore/units.yaml')
 source=("$pkgname-$pkgver.zip::$url/archive/v$pkgver.zip")
 sha256sums=('SKIP')
 
 build() {
-    cd "$pkgname-v$pkgver"
+    cd "$pkgname"
     export CGO_ENABLED=0
     go build \
         -trimpath \
@@ -26,12 +25,12 @@ build() {
 }
 
 check() {
-    cd "$pkgname-v$pkgver"
+    cd "$pkgname"
     go test ./...
 }
 
 package() {
-    cd "$pkgname-v$pkgver"
+    cd "$pkgname"
 
     # Binary
     install -Dm755 "$pkgname" "$pkgdir/usr/bin/$pkgname"