diff --git a/Dockerfile.cicd b/Dockerfile.cicd
index cca88ce..7fa198c 100644
--- a/Dockerfile.cicd
+++ b/Dockerfile.cicd
@@ -36,7 +36,9 @@ RUN --mount=type=secret,id=ssh_private_key \
     git clone --depth 1 --branch main \
     ssh://git@kankali.darkhelm.lan:2222/DarkHelm.org/plex-playlist.git /tmp/repo && \
     if [ -n "$GITHUB_SHA" ]; then \
-        cd /tmp/repo && git checkout "$GITHUB_SHA" 2>/dev/null || echo "Using main branch HEAD"; \
+        cd /tmp/repo && \
+        GIT_SSH_COMMAND="ssh -F ~/.ssh/config" git fetch --depth 1 origin "$GITHUB_SHA" 2>/dev/null || true && \
+        git checkout "$GITHUB_SHA" 2>/dev/null || echo "Using main branch HEAD"; \
     fi && \
     # Extract only dependency files for caching optimization
     mkdir -p /workspace/backend /workspace/frontend && \
@@ -45,7 +47,7 @@ RUN --mount=type=secret,id=ssh_private_key \
     cp /tmp/repo/frontend/yarn.lock /workspace/frontend/ 2>/dev/null || echo "No frontend yarn.lock" && \
     cp /tmp/repo/.pre-commit-config.yaml /workspace/ 2>/dev/null || echo "No pre-commit config" && \
     echo "✓ Dependency files extracted for optimized layer caching" && \
-    rm -rf /tmp/repo ~/.ssh
+    rm -rf ~/.ssh
 
 # OPTIMIZATION PHASE 1: Install backend dependencies from extracted pyproject.toml
 WORKDIR /workspace/backend
@@ -118,50 +120,20 @@ RUN if [ -f "package.json" ]; then \
         echo "No package.json found, skipping frontend dependencies"; \
     fi
 
-# OPTIMIZATION PHASE 3: Now clone full source code (dependencies already cached above)
+# OPTIMIZATION PHASE 3: Reuse the repo cloned in phase 1 to avoid re-clone/session timeout
 WORKDIR /workspace
-RUN --mount=type=secret,id=ssh_private_key \
-    echo "=== Cloning Full Source Code (Phase 3: After Dependencies) ===" && \
-    mkdir -p ~/.ssh && \
-    cp /run/secrets/ssh_private_key ~/.ssh/id_rsa && \
-    chmod 600 ~/.ssh/id_rsa && \
-    echo "Host kankali.darkhelm.lan" > ~/.ssh/config && \
-    echo "    Port 2222" >> ~/.ssh/config && \
-    echo "    StrictHostKeyChecking no" >> ~/.ssh/config && \
-    echo "    UserKnownHostsFile /dev/null" >> ~/.ssh/config && \
-    chmod 600 ~/.ssh/config && \
-    (ssh-keyscan -p 2222 kankali.darkhelm.lan >> ~/.ssh/known_hosts 2>/dev/null || echo "Warning: ssh-keyscan failed, continuing with StrictHostKeyChecking=no") && \
-    clone_ok=false && \
-    for i in 1 2 3; do \
-        echo "Clone attempt ${i}/3 from Gitea..." && \
-        if GIT_SSH_COMMAND="ssh -F ~/.ssh/config" \
-            git clone --depth 1 --branch main \
-            ssh://git@kankali.darkhelm.lan:2222/DarkHelm.org/plex-playlist.git /tmp/fullrepo; then \
-            clone_ok=true && \
-            break; \
-        fi && \
-        if [ "${i}" -lt 3 ]; then \
-            echo "⚠ Clone attempt ${i} failed, retrying in 5 seconds..." && \
-            rm -rf /tmp/fullrepo && \
-            sleep 5; \
-        fi; \
-    done && \
-    if [ "${clone_ok}" != "true" ]; then \
-        echo "❌ Failed to clone repository from Gitea after 3 attempts" && \
+RUN if [ ! -d "/tmp/repo/.git" ]; then \
+        echo "❌ Missing /tmp/repo clone from phase 1" && \
         exit 1; \
-    fi && \
-    if [ -n "$GITHUB_SHA" ]; then \
-        cd /tmp/fullrepo && git checkout "$GITHUB_SHA" 2>/dev/null || echo "Using main branch HEAD"; \
-    fi && \
-    rm -rf ~/.ssh
+    fi
 
 RUN echo "Copying source code while preserving installed dependencies..." && \
     echo "Source files in repo:" && \
-    ls -la /tmp/fullrepo/ && \
+    ls -la /tmp/repo/ && \
     echo "Current workspace state:" && \
     find /workspace -name "node_modules" -o -name ".venv" -o -name ".yarn" && \
     echo "Copying source files (excluding dependencies)..." && \
-    for item in /tmp/fullrepo/*; do \
+    for item in /tmp/repo/*; do \
         basename_item=$(basename "$item"); \
         if [ "$basename_item" = "backend" ] && [ -d "/workspace/backend/.venv" ]; then \
             echo "Copying backend files while preserving .venv..."; \
@@ -176,14 +148,14 @@ RUN echo "Copying source code while preserving installed dependencies..." && \
     done && \
     # Copy common hidden root files without touching . or ..
     for dotfile in .dockerignore .gitignore .pre-commit-config.yaml .editorconfig; do \
-        if [ -f "/tmp/fullrepo/${dotfile}" ]; then \
-            cp -f "/tmp/fullrepo/${dotfile}" /workspace/; \
+        if [ -f "/tmp/repo/${dotfile}" ]; then \
+            cp -f "/tmp/repo/${dotfile}" /workspace/; \
         fi; \
     done && \
     echo "Final dependency check:" && \
     find /workspace -name "node_modules" -o -name ".venv" -o -name ".yarn" && \
     echo "✓ Full source code copied, dependencies preserved" && \
-    rm -rf /tmp/fullrepo
+    rm -rf /tmp/repo
 
 # PHASE 3.5: Regenerate Yarn PnP state after source code update
 WORKDIR /workspace/frontend