diff --git a/README.md b/README.md
index 8203807..a99dad9 100644
--- a/README.md
+++ b/README.md
@@ -59,3 +59,4 @@ Before setting up build workflows, note the following:
 - If your project needs different images for dev and prod (e.g. statically replaced variables, build-time validation that requires environment-specific values), use a [matrix strategy](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow) so dev and prod builds run in parallel.
 - If you have a **monorepo**, use separate jobs per image so they build concurrently on tag push.
 - **Validate your Dockerfile layer caching.** Check each layer for cache-busting pitfalls: changing commit SHAs baked into build args, rotating secrets passed as build args instead of `--mount=type=secret`, non-deterministic package installs (missing lockfiles), timestamps in generated files, and `COPY . .` placed before dependency installation layers.
+- **Only enable `push-cache` for images you intend to push to ECR.** The build action reads from the registry cache by default, but only writes back to it when `push-cache: "true"` is set. Enable this on builds that will be pushed so the cache stays up to date; leave it off for local-only or throwaway builds to avoid polluting the cache.
diff --git a/build/action.yml b/build/action.yml
index 425f055..e164c6d 100644
--- a/build/action.yml
+++ b/build/action.yml
@@ -30,14 +30,13 @@ inputs:
     description: "Newline-separated list of Docker build secrets (id=value)"
     required: false
     default: ""
-  image-tag:
-    description: "Image tag override (defaults to tag from git ref)"
+  push-cache:
+    description: "Push layer cache to registry (set to 'true' to enable)"
     required: false
-    default: ""
-
+    default: "false"
 outputs:
   image-tag:
-    description: "Resolved image tag"
+    description: "Resolved image tag (first 6 chars of commit SHA)"
     value: ${{ steps.resolve-tag.outputs.image-tag }}
 
 runs:
@@ -47,12 +46,7 @@ runs:
       id: resolve-tag
       shell: bash
       run: |
-        if [[ -n "${{ inputs.image-tag }}" ]]; then
-          IMAGE_TAG="${{ inputs.image-tag }}"
-        else
-          TAG_NAME=${GITHUB_REF##*/}
-          IMAGE_TAG=$(echo $TAG_NAME | sed 's/^v//')
-        fi
+        IMAGE_TAG="${GITHUB_SHA:0:6}"
         echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
         echo "image-tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
 
@@ -85,4 +79,4 @@ runs:
         build-args: ${{ inputs.build-args }}
         secrets: ${{ inputs.secrets }}
         cache-from: type=registry,ref=${{ env.IMAGE_REGISTRY }}/${{ inputs.image-repo }}:cache
-        cache-to: type=registry,ref=${{ env.IMAGE_REGISTRY }}/${{ inputs.image-repo }}:cache,mode=max
+        cache-to: ${{ inputs.push-cache == 'true' && format('type=registry,ref={0}/{1}:cache,mode=max', env.IMAGE_REGISTRY, inputs.image-repo) || '' }}