diff --git a/.github/workflows/build-skills.yml b/.github/workflows/build-skills.yml
index 41852c02..aa0c12e7 100644
--- a/.github/workflows/build-skills.yml
+++ b/.github/workflows/build-skills.yml
@@ -333,6 +333,12 @@ jobs:
           IMAGE_REF: ${{ steps.meta.outputs.image_name }}:${{ steps.meta.outputs.version }}
           PUSH: ${{ github.event_name != 'pull_request' }}
         run: |
+          # pipefail so a dockhand failure propagates through `tee` and fails
+          # the step. The previous `output=$(dockhand ... 2>&1); echo "$output"`
+          # pattern combined with `set -e` exited before echoing, hiding the
+          # real error from the job log.
+          set -o pipefail
+
           echo "Building skill artifact for $CONFIG_FILE"
 
           build_args="--config $CONFIG_FILE --tag $IMAGE_REF"
@@ -340,12 +346,15 @@ jobs:
             build_args="$build_args --push"
           fi
 
-          output=$(/tmp/dockhand build-skill $build_args 2>&1)
-          echo "$output"
+          log_file=$(mktemp)
+          /tmp/dockhand build-skill $build_args 2>&1 | tee "$log_file"
 
-          # Extract digest from output
-          digest=$(echo "$output" | grep "^Digest:" | awk '{print $2}')
+          # Extract digest from captured output. `|| true` so an absent
+          # "Digest:" line yields digest="" without failing the step; downstream
+          # steps already gate on `steps.build.outputs.digest != ''`.
+          digest=$(grep "^Digest:" "$log_file" | awk '{print $2}' || true)
           echo "digest=$digest" >> $GITHUB_OUTPUT
+          rm -f "$log_file"
 
       - name: Sign skill artifact with Cosign
         if: github.event_name != 'pull_request'