diff --git a/.forgejo/workflows/update-flake-lock.yml b/.forgejo/workflows/update-flake-lock.yml
index 1e93060e..f964b31c 100644
--- a/.forgejo/workflows/update-flake-lock.yml
+++ b/.forgejo/workflows/update-flake-lock.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: forgejo
     container:
       image: git.sysctl.io/albert/actions-images/node:latest
-      options: --pull always
+      options: "--pull always"
     steps:
       - run: cat /etc/hosts.template
       - run: cat /etc/hosts
diff --git a/nixos/common/services/forgejo-runner.nix b/nixos/common/services/forgejo-runner.nix
index 51f932e5..17f9bdc9 100644
--- a/nixos/common/services/forgejo-runner.nix
+++ b/nixos/common/services/forgejo-runner.nix
@@ -26,6 +26,10 @@
       tokenFile = /run/secrets/services/forgejo_token;
       hostPackages = with pkgs; [ nix deploy-rs nodejs coreutils git gnutar gzip ];
       settings = {
+        container = {
+          force_pull = true;
+          clean_working_directory = true;
+        };
         valid_volumes = [
           "/run/podman/podman.sock:/run/podman/podman.sock:rw" # Docker socket
           "/dev/net/tun:/dev/net/tun:rw"  # Tunnel device mapping