diff --git a/.gitea/workflows/build-production-docker.yml b/.gitea/workflows/build-production-docker.yml
index 3d586ac..67d6fde 100644
--- a/.gitea/workflows/build-production-docker.yml
+++ b/.gitea/workflows/build-production-docker.yml
@@ -96,21 +96,33 @@ jobs:
 
           docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:latest"
 
-          image_ids="$(aws ecr list-images \
+          retry() {
+            for attempt in 1 2 3; do
+              if "$@"; then
+                return 0
+              fi
+              if [ "${attempt}" -eq 3 ]; then
+                return 1
+              fi
+              sleep "$((attempt * 5))"
+            done
+          }
+          retry docker push "${ecr_image}:latest"
+
+          untagged_image_ids="$(aws ecr list-images \
             --region "${AWS_REGION}" \
             --repository-name "${ECR_REPOSITORY}" \
+            --filter tagStatus=UNTAGGED \
             --query 'imageIds[*]' \
             --output json)"
-          if [ "${image_ids}" != "[]" ]; then
+          if [ "${untagged_image_ids}" != "[]" ]; then
             aws ecr batch-delete-image \
               --region "${AWS_REGION}" \
               --repository-name "${ECR_REPOSITORY}" \
-              --image-ids "${image_ids}" >/dev/null \
+              --image-ids "${untagged_image_ids}" >/dev/null \
               || echo "Warning: ECR image cleanup failed; ensure the CI AWS user has ecr:BatchDeleteImage" >&2
           fi
 
-          docker push "${ecr_image}:latest"
-
   deploy-production:
     needs: build-backend-image
     runs-on: wsl2-docker-host