diff --git a/.github/actions/setup-docker-publish/action.yml b/.github/actions/setup-docker-publish/action.yml
new file mode 100644
index 0000000..9144ac6
--- /dev/null
+++ b/.github/actions/setup-docker-publish/action.yml
@@ -0,0 +1,24 @@
+name: "Set up Docker publish"
+description: >-
+  Set up QEMU + Docker Buildx and authenticate to Docker Hub for multi-arch
+  image builds. Centralizes the QEMU/Buildx/login trio that the release,
+  preview, and stable workflows previously each copied (and which had drifted
+  to different pinned SHAs).
+
+inputs:
+  dockerhub-username:
+    description: "Docker Hub username (pass from secrets)"
+    required: true
+  dockerhub-token:
+    description: "Docker Hub token/password (pass from secrets)"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130  # v3
+    - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3
+    - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3
+      with:
+        username: ${{ inputs.dockerhub-username }}
+        password: ${{ inputs.dockerhub-token }}
diff --git a/.github/actions/setup-hatch/action.yml b/.github/actions/setup-hatch/action.yml
new file mode 100644
index 0000000..0da5160
--- /dev/null
+++ b/.github/actions/setup-hatch/action.yml
@@ -0,0 +1,13 @@
+name: "Set up Hatch build tooling"
+description: >-
+  Install the pinned hatch / hatchling / virtualenv toolchain used to build
+  and publish the package. Assumes Python is already set up by the caller.
+
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: |
+        python -m pip install --upgrade pip
+        pip install "virtualenv<20.36"
+        pip install hatchling==1.27.0 hatch==1.14.0
diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml
index 3639ffc..24fc3a4 100644
--- a/.github/workflows/docker-stable.yml
+++ b/.github/workflows/docker-stable.yml
@@ -28,23 +28,19 @@ jobs:
           fi
           echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release"
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
-
-      - name: Login to Docker Hub with Organization Token
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+      - name: Set up Docker publishing
+        uses: ./.github/actions/setup-docker-publish
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & Push Stable Docker
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           push: true
           platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: socketdev/cli:stable
           build-args: |
             CLI_VERSION=${{ inputs.version }}
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
index ef47ea0..5b4a892 100644
--- a/.github/workflows/pr-preview.yml
+++ b/.github/workflows/pr-preview.yml
@@ -3,6 +3,12 @@ on:
   pull_request:
     types: [opened, synchronize, ready_for_review]
 
+# Cancel an in-flight preview when the PR is pushed again -- previews are slow
+# (publish + multi-step Docker build), so superseded runs shouldn't keep going.
+concurrency:
+  group: pr-preview-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 jobs:
   preview:
     # Skip on:
@@ -26,12 +32,8 @@ jobs:
         with:
           python-version: '3.13'
 
-      # Install all dependencies from pyproject.toml
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install "virtualenv<20.36"
-          pip install hatchling==1.27.0 hatch==1.14.0
+      - name: Install build tooling
+        uses: ./.github/actions/setup-hatch
 
       - name: Inject full dynamic version
         run: python .hooks/sync_version.py --dev
@@ -139,18 +141,12 @@ jobs:
           echo "success=false" >> $GITHUB_OUTPUT
           exit 1
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
-
-      - name: Login to Docker Hub with Organization Token
+      - name: Set up Docker publishing
         if: steps.verify_package.outputs.success == 'true'
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        uses: ./.github/actions/setup-docker-publish
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & Push Docker Preview
         if: steps.verify_package.outputs.success == 'true'
@@ -159,7 +155,12 @@ jobs:
           VERSION: ${{ env.VERSION }}
         with:
           push: true
-          platforms: linux/amd64,linux/arm64
+          # Preview images are for quick testing -- build amd64 only. arm64 via
+          # QEMU emulation is the slowest part of the job; release builds keep
+          # multi-arch. GHA layer cache speeds up repeated preview builds.
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: |
             socketdev/cli:pr-${{ github.event.pull_request.number }}
           build-args: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5549b88..535a269 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,13 +18,9 @@ jobs:
         with:
           python-version: '3.13'
 
-      # Install all dependencies from pyproject.toml
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install "virtualenv<20.36"
-          pip install hatchling==1.27.0 hatch==1.14.0
-          
+      - name: Install build tooling
+        uses: ./.github/actions/setup-hatch
+
       - name: Get Version
         id: version
         env:
@@ -72,17 +68,11 @@ jobs:
         if: steps.version_check.outputs.pypi_exists != 'true'
         uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
-
-      - name: Login to Docker Hub with Organization Token
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+      - name: Set up Docker publishing
+        uses: ./.github/actions/setup-docker-publish
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Verify package is installable
         id: verify_package
@@ -112,6 +102,8 @@ jobs:
         with:
           push: true
           platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: |
             socketdev/cli:latest
             socketdev/cli:${{ env.VERSION }}