diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml
index aa7883c3..83b47f40 100644
--- a/.github/workflows/docker-build-images.yml
+++ b/.github/workflows/docker-build-images.yml
@@ -93,6 +93,30 @@ on: # yamllint disable-line rule:truthy
         default: "gha"
         type: string
         required: false
+      buildkitd-config-inline:
+        description: |
+          Inline BuildKit daemon configuration.
+          See https://github.com/docker/setup-buildx-action#inputs.
+          Example for insecure registry:
+            ```ini
+            [registry."my-registry.local:5000"]
+              http = true
+              insecure = true
+            ```
+        type: string
+        required: false
+      cache-registry:
+        description: |
+          Optional separate registry for Docker build cache.
+          Use this when cache is stored on a different registry than the final image.
+        type: string
+        required: false
+      cache-registry-username:
+        description: |
+          Username for the cache registry.
+          Required if cache-registry is set and requires authentication.
+        type: string
+        required: false
       sign:
         description: |
           Sign built images.
@@ -116,6 +140,11 @@ on: # yamllint disable-line rule:truthy
           GitHub App private key to generate GitHub token to be passed as build secret env.
           See https://github.com/actions/create-github-app-token.
         required: false
+      cache-registry-password:
+        description: |
+          Password for the cache registry.
+          Required if cache-registry is set and requires authentication.
+        required: false
     outputs:
       built-images:
         description: |
@@ -414,6 +443,10 @@ jobs:
           secret-envs: ${{ steps.prepare-secret-envs.outputs.secret-envs }}
           secrets: ${{ secrets.build-secrets }}
           cache-type: ${{ inputs.cache-type }}
+          cache-registry: ${{ inputs.cache-registry }}
+          cache-registry-username: ${{ inputs.cache-registry-username }}
+          cache-registry-password: ${{ secrets.cache-registry-password }}
+          buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }}
           multi-platform: ${{ matrix.image.multi-platform }}
 
       # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix
diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml
index 81f65932..49f42eb1 100644
--- a/actions/docker/build-image/action.yml
+++ b/actions/docker/build-image/action.yml
@@ -87,6 +87,33 @@ inputs:
       See https://docs.docker.com/build/cache/backends.
     default: "gha"
     required: false
+  cache-registry:
+    description: |
+      Optional separate registry for Docker build cache.
+      Use this when cache is stored on a different registry than the final image.
+      If not set, cache operations use the main oci-registry.
+    required: false
+  cache-registry-username:
+    description: |
+      Username for the cache registry.
+      Required if cache-registry is set and requires authentication.
+    required: false
+  cache-registry-password:
+    description: |
+      Password for the cache registry.
+      Required if cache-registry is set and requires authentication.
+    required: false
+  buildkitd-config-inline:
+    description: |
+      Inline BuildKit daemon configuration.
+      See https://github.com/docker/setup-buildx-action#inputs.
+      Example for insecure registry:
+        ```ini
+        [registry."my-registry.local:5000"]
+          http = true
+          insecure = true
+        ```
+    required: false
   multi-platform:
     description: |
       Whether this build participates in a multi-platform image publication.
@@ -174,11 +201,23 @@ runs:
 
           const cacheType = `${{ inputs.cache-type }}`.trim();
           const metadataImage = `${{ steps.metadata.outputs.image }}`;
-          const cacheImage = cacheType === 'registry' ? `${metadataImage}/cache` : metadataImage;
+          const cacheRegistry = `${{ inputs.cache-registry }}`.trim();
+
+          let cacheImage;
+          if (cacheRegistry) {
+            // Use separate cache registry: replace the registry part of the image
+            const imageParts = metadataImage.split('/');
+            // Remove the original registry (first part) and join with cache registry
+            imageParts.shift();
+            cacheImage = `${cacheRegistry}/${imageParts.join('/')}/cache`;
+          } else {
+            // Use main registry for cache
+            cacheImage = cacheType === 'registry' ? `${metadataImage}/cache` : metadataImage;
+          }
           core.setOutput('cache-image', cacheImage);
 
           try {
-            await exec.exec('command -v docker', { stdio: 'ignore' });
+            await io.which('docker', true);
             core.setOutput('docker-exists', 'true');
           } catch (error) {
             // docker not available on runner
@@ -248,6 +287,7 @@ runs:
         # FIXME: upgrade version when available (https://hub.docker.com/r/moby/buildkit)
         driver-opts: |
           image=moby/buildkit:v0.27.0
+        buildkitd-config-inline: ${{ inputs.buildkitd-config-inline }}
 
     # Caching setup
     - id: cache-arguments
@@ -278,6 +318,13 @@ runs:
         registry: ${{ inputs.oci-registry }}
         username: ${{ inputs.oci-registry-username }}
         password: ${{ inputs.oci-registry-password }}
+
+    - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+      if: inputs.cache-registry
+      with:
+        registry: ${{ inputs.cache-registry }}
+        username: ${{ inputs.cache-registry-username }}
+        password: ${{ inputs.cache-registry-password }}
     # jscpd:ignore-end
 
     - id: build