diff --git a/.github/workflows/publish-nx-webmail-image.yml b/.github/workflows/publish-nx-webmail-image.yml
index 8d491d1..820465c 100644
--- a/.github/workflows/publish-nx-webmail-image.yml
+++ b/.github/workflows/publish-nx-webmail-image.yml
@@ -10,15 +10,18 @@ on:
       - ".github/workflows/publish-nx-webmail-image.yml"
 
 permissions:
-  contents: read
+  contents: write
   packages: write
 
 jobs:
   publish:
+    if: github.actor != 'github-actions[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -57,6 +60,30 @@ jobs:
             ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}
             ${{ steps.meta.outputs.image }}:latest
 
+      - name: Pin digest in docker-compose
+        shell: bash
+        run: |
+          digest="${{ steps.build.outputs.digest }}"
+          if [ -z "$digest" ]; then
+            echo "No digest returned by build step" >&2
+            exit 1
+          fi
+          pinned="    image: ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}@${digest}"
+          sed -i -E "s|^    image: .*|$pinned|" nx-webmail/docker-compose.yml
+
+      - name: Commit digest pin
+        shell: bash
+        run: |
+          if git diff --quiet -- nx-webmail/docker-compose.yml; then
+            echo "No docker-compose digest changes to commit."
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add nx-webmail/docker-compose.yml
+          git commit -m "nx-webmail: pin image digest [skip ci]"
+          git push
+
       - name: Summary
         shell: bash
         run: |
diff --git a/nx-webmail/README.md b/nx-webmail/README.md
index 2c6ab4b..ac7a26a 100644
--- a/nx-webmail/README.md
+++ b/nx-webmail/README.md
@@ -26,7 +26,8 @@ Umbrel installation is most reliable when your app uses a prebuilt image from a
 2. The workflow reads `version` from `nx-webmail/umbrel-app.yml` and publishes:
    - `ghcr.io/weektab/nx-webmail:<version>`
    - `ghcr.io/weektab/nx-webmail:latest`
-3. Manual fallback:
+3. The workflow then pins `nx-webmail/docker-compose.yml` to `tag@sha256:digest` automatically.
+4. Manual fallback:
    docker buildx build --platform linux/amd64,linux/arm64 -t ghcr.io/weektab/nx-webmail:1.0.1 --push .
 
 ## Umbrel app packaging