diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index ce407ecd..977ee907 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -743,21 +743,32 @@ jobs:
       - name: Determine image tag
         id: tag
         run: |
+          SHORT_SHA="$(echo "${{ env.TRIGGER_HEAD_SHA }}" | cut -c1-7)"
           TRIGGER_REF="${{ env.TRIGGER_REF }}"
-          case "$TRIGGER_REF" in
-            refs/heads/main)
-              echo "tag=latest" >> "$GITHUB_OUTPUT"
-              ;;
-            refs/heads/development)
-              echo "tag=dev" >> "$GITHUB_OUTPUT"
-              ;;
-            refs/tags/v*)
-              echo "tag=${TRIGGER_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
-              ;;
-            *)
-              echo "tag=sha-$(echo "${{ env.TRIGGER_HEAD_SHA }}" | cut -c1-7)" >> "$GITHUB_OUTPUT"
-              ;;
-          esac
+          TRIGGER_EVENT="${{ env.TRIGGER_EVENT }}"
+
+          # For PRs, use the pr-{number}-{short-sha} tag generated by metadata-action
+          if [[ "${TRIGGER_EVENT}" == "pull_request" ]]; then
+            PR_NUMBER="${{ env.TRIGGER_PR_NUMBER }}"
+            TAG="pr-${PR_NUMBER}-${SHORT_SHA}"
+            echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+            echo "ℹ️ Using PR tag: ${TAG}"
+          else
+            case "$TRIGGER_REF" in
+              refs/heads/main)
+                echo "tag=latest" >> "$GITHUB_OUTPUT"
+                ;;
+              refs/heads/development)
+                echo "tag=dev" >> "$GITHUB_OUTPUT"
+                ;;
+              refs/tags/v*)
+                echo "tag=${TRIGGER_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
+                ;;
+              *)
+                echo "tag=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+                ;;
+            esac
+          fi
 
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
@@ -767,9 +778,59 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Pull Docker image
-        run: docker pull "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}"
+        run: |
+          IMAGE="${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}"
+          echo "Pulling image: ${IMAGE}"
+
+          if ! docker pull "${IMAGE}"; then
+            echo ""
+            echo "❌ Failed to pull image: ${IMAGE}"
+            echo ""
+            echo "📋 Debugging Information:"
+            echo "  Event: ${{ env.TRIGGER_EVENT }}"
+            echo "  PR Number: ${{ env.TRIGGER_PR_NUMBER }}"
+            echo "  Commit SHA: ${{ env.TRIGGER_HEAD_SHA }}"
+            echo "  Tag Generated: ${{ steps.tag.outputs.tag }}"
+            echo "  Registry: ${{ env.GHCR_REGISTRY }}"
+            echo "  Image Name: ${{ env.IMAGE_NAME }}"
+            echo ""
+            echo "  Verify:"
+            echo "  1. build-and-push job completed successfully (check job status)"
+            echo "  2. Tag matches what build-and-push generated (check workflow logs)"
+            echo "  3. Image was pushed to GHCR (check registry)"
+            echo ""
+            exit 1
+          fi
+
+          echo "✅ Image pulled successfully: ${IMAGE}"
+      - name: Verify image before proceeding
+        run: |
+          IMAGE="${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}"
+
+          if ! docker image inspect "${IMAGE}" >/dev/null 2>&1; then
+            echo "❌ ERROR: Image not available after pull"
+            echo "Image: ${IMAGE}"
+            docker images
+            exit 1
+          fi
+
+          echo "✅ Image verified: ${IMAGE}"
+
       - name: Create Docker Network
-        run: docker network create charon-test-net
+        run: |
+          NETWORK_NAME="charon-test-net"
+
+          # Remove stale network if it exists
+          docker network rm "${NETWORK_NAME}" 2>/dev/null || true
+
+          # Create fresh network
+          if ! docker network create "${NETWORK_NAME}"; then
+            echo "❌ Failed to create Docker network: ${NETWORK_NAME}"
+            docker network ls
+            exit 1
+          fi
+
+          echo "✅ Docker network created: ${NETWORK_NAME}"
 
       - name: Run Upstream Service (whoami)
         run: |
@@ -807,9 +868,18 @@ jobs:
       - name: Stop container
         if: always()
         run: |
-          docker stop test-container whoami || true
-          docker rm test-container whoami || true
-          docker network rm charon-test-net || true
+          echo "Cleaning up Docker resources..."
+
+          # Stop and remove containers (continue even if they don't exist)
+          docker stop test-container 2>/dev/null || echo "ℹ️ Container test-container was not running"
+          docker stop whoami 2>/dev/null || echo "ℹ️ Container whoami was not running"
+          docker rm test-container 2>/dev/null || echo "ℹ️ Container test-container not found"
+          docker rm whoami 2>/dev/null || echo "ℹ️ Container whoami not found"
+
+          # Remove network (continue even if it doesn't exist)
+          docker network rm charon-test-net 2>/dev/null || echo "ℹ️ Network charon-test-net not found"
+
+          echo "✅ Cleanup complete"
 
       - name: Create test summary
         if: always()