diff --git a/.github/actions/buildkit-setup/README.md b/.github/actions/buildkit-setup/README.md
new file mode 100644
index 0000000..f4830b7
--- /dev/null
+++ b/.github/actions/buildkit-setup/README.md
@@ -0,0 +1,42 @@
+# buildkit-setup
+
+Composite action that wires up `docker/setup-buildx-action` against the shared
+rootless buildkitd in the `tooling-prod` EKS cluster. Use on any ARC runner
+before `docker/build-push-action`.
+
+## Usage
+
+```yaml
+jobs:
+  build:
+    runs-on: arc-runner-4
+    steps:
+      - uses: actions/checkout@v4
+      - uses: lightsparkdev/.github/actions/buildkit-setup@v1
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ...
+```
+
+That's it. No `setup-buildx-action` call of your own, no per-workflow TLS
+plumbing. The runner pod has the mTLS client cert mounted at
+`/etc/buildkit-client/{ca,tls.crt,tls.key}` (handled by the gha-runner-scale-set
+chart in `lightsparkdev/tooling-infra`).
+
+## Inputs
+
+| Name       | Default                                                            | Notes                                                                                                              |
+|------------|--------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
+| `endpoint` | `tcp://buildkitd.buildkit.svc.cluster.local:1234`                  | Override for testing against a specific replica via per-pod DNS (`buildkitd-N.buildkitd.buildkit.svc.cluster.local`). |
+
+## Where this works
+
+- `runs-on: arc-runner-{1,2,4,8}` — the in-cluster ARC scale sets.
+- Not GH-hosted runners (the buildkit service is cluster-internal; the certs aren't there).
+
+## When NOT to use this
+
+- Workflows that need `services:` blocks (postgres, redis, etc.) — those need a real docker daemon, not just buildx.
+- `kind`/`tilt`-based hermetic tests — same reason. These should stay on GH-hosted.
diff --git a/.github/actions/buildkit-setup/action.yaml b/.github/actions/buildkit-setup/action.yaml
new file mode 100644
index 0000000..2969cb8
--- /dev/null
+++ b/.github/actions/buildkit-setup/action.yaml
@@ -0,0 +1,26 @@
+name: "buildkit-setup"
+description: >
+  Point docker/setup-buildx-action at the shared buildkitd service in the
+  tooling-prod EKS cluster. Use this on any ARC runner before
+  `docker/build-push-action`.
+
+  The runner pod has the mTLS client cert pre-mounted at
+  /etc/buildkit-client (see charts/arc-runner/values.yaml in
+  lightsparkdev/tooling-infra). No per-workflow auth wiring needed.
+
+inputs:
+  endpoint:
+    description: "buildkitd TCP endpoint. Override for testing against a specific replica via per-pod DNS (e.g. tcp://buildkitd-2.buildkitd.buildkit.svc.cluster.local:1234)."
+    required: false
+    default: "tcp://buildkitd.buildkit.svc.cluster.local:1234"
+
+runs:
+  using: composite
+  steps:
+    - uses: docker/setup-buildx-action@v3
+      with:
+        driver: remote
+        endpoint: ${{ inputs.endpoint }}
+        cacert: /etc/buildkit-client/ca.crt
+        cert: /etc/buildkit-client/tls.crt
+        key: /etc/buildkit-client/tls.key