diff --git a/dockerfile.sh b/dockerfile.sh
index 2613303..7b15c9c 100755
--- a/dockerfile.sh
+++ b/dockerfile.sh
@@ -395,6 +395,9 @@ generate_build_command() {
   # .yarnrc.yml writes use `printf` at build time (POSIX printf interprets \n in
   # every shell), not `echo` (whose \n handling depends on the builder's /bin/sh).
   local h="/home/${BUILDER_USER}"
+  printf '%s\n' "# Application version, injected from the build host (image context has no .git)"
+  printf '%s\n' "ARG APP_VERSION"
+  printf '%s\n' 'ENV APP_VERSION=${APP_VERSION}'
   printf '%s\n' "# Build with npm auth mounted as a secret (token never persists in a layer)"
   printf '%s\n' "RUN --mount=type=secret,id=npm_access_token,mode=0444 set -eu && \\"
   printf '%s\n' "  NPM_ACCESS_TOKEN=\$(cat /run/secrets/npm_access_token) && \\"
diff --git a/scripts/build-prod-node.sh b/scripts/build-prod-node.sh
index 152b60f..3ffba8e 100644
--- a/scripts/build-prod-node.sh
+++ b/scripts/build-prod-node.sh
@@ -3,13 +3,17 @@
 # On error exit
 set -euo pipefail
 
-git config --global --add safe.directory /home/ubuntu/app
-
-# Compute version info
-REV=$(git rev-parse --short HEAD)
-TAG=$(git tag --points-at HEAD 2>/dev/null || echo "")
 CWD=$(pwd)
-APP_VERSION="${REV} (${TAG:-undefined})"
+
+# APP_VERSION is normally injected from the build host (the image build context
+# has no .git, so git cannot run here). Fall back to git only when this script
+# is run locally inside a real repository.
+if [ -z "${APP_VERSION:-}" ]; then
+  git config --global --add safe.directory "$CWD" 2>/dev/null || true
+  REV=$(git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+  TAG=$(git tag --points-at HEAD 2>/dev/null || echo "")
+  APP_VERSION="${REV} (${TAG:-undefined})"
+fi
 
 echo "Building: ${APP_VERSION}"