diff --git a/.gitea/workflows/cicd.yml b/.gitea/workflows/cicd.yml
index 1aa7869..3064c14 100644
--- a/.gitea/workflows/cicd.yml
+++ b/.gitea/workflows/cicd.yml
@@ -116,18 +116,18 @@ jobs:
             ssh-keyscan -p 2222 dogar.darkhelm.org >> ~/.ssh/known_hosts 2>/dev/null
           fi
 
-          # Clone just enough to get the Dockerfile
+          # Clone just enough to get the Dockerfiles
           GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no" \
             git clone --depth 1 --no-checkout \
             ssh://git@dogar.darkhelm.org:2222/DarkHelm.org/plex-playlist.git .
 
-          # Checkout only the Dockerfile and dockerignore
-          git checkout HEAD -- Dockerfile.cicd .dockerignore
+          # Checkout Dockerfiles and dockerignore (include base for fallback)
+          git checkout HEAD -- Dockerfile.cicd Dockerfile.cicd-base .dockerignore
 
           # Clean up SSH key for security
           rm -f ~/.ssh/id_rsa
 
-          echo "✓ Dockerfile.cicd ready for secure build"
+          echo "✓ Dockerfile.cicd and fallback base ready for secure build"
 
       - name: Build and push complete CICD image
         env:
@@ -141,6 +141,29 @@ jobs:
           # Login to registry
           echo "${PACKAGE_ACCESS_TOKEN}" | docker login dogar.darkhelm.org -u "${REGISTRY_USER}" --password-stdin
 
+          # Verify base image availability with fallback strategy
+          BASE_IMAGE="dogar.darkhelm.org/darkhelm.org/plex-playlist/cicd-base:latest"
+          echo "Checking base image availability: ${BASE_IMAGE}"
+
+          if docker pull "${BASE_IMAGE}" 2>/dev/null; then
+            echo "✓ Base image pulled successfully from registry"
+          else
+            echo "❌ Failed to pull base image from registry"
+            echo "This might be the first run - checking if we need to build base locally..."
+
+            # Check if base Dockerfile exists and build it locally as fallback
+            if [ -f "Dockerfile.cicd-base" ]; then
+              echo "Building base image locally as fallback..."
+              export DOCKER_BUILDKIT=1
+              docker build -f Dockerfile.cicd-base -t cicd-base-local:latest .
+              BASE_IMAGE="cicd-base-local:latest"
+              echo "✓ Base image built locally: ${BASE_IMAGE}"
+            else
+              echo "❌ Cannot find Dockerfile.cicd-base for fallback build"
+              exit 1
+            fi
+          fi
+
           # Create temporary SSH key file for BuildKit secrets
           echo "${SSH_PRIVATE_KEY}" > /tmp/ssh_key
           chmod 600 /tmp/ssh_key
@@ -150,10 +173,11 @@ jobs:
 
           # Build complete CICD image using secure BuildKit secrets, inheriting from base
           # SSH key is mounted securely and never stored in image layers
+          echo "Building complete image with base: ${BASE_IMAGE}"
           docker build -f Dockerfile.cicd \
             --secret id=ssh_private_key,src=/tmp/ssh_key \
             --build-arg GITHUB_SHA="$GITHUB_SHA" \
-            --build-arg CICD_BASE_IMAGE="dogar.darkhelm.org/darkhelm.org/plex-playlist/cicd-base:latest" \
+            --build-arg CICD_BASE_IMAGE="${BASE_IMAGE}" \
             -t cicd:latest .
 
           # Clean up temporary SSH key file