diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 97fe3d0..b158eb8 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -52,3 +52,39 @@ jobs:
             echo "==> $f"
             nomad job validate "$f"
           done
+
+  image-pull:
+    name: Docker image pull validation
+    runs-on: ubuntu-latest
+    # Only run on PRs that touch nomad job specs
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Pull changed images
+        run: |
+          git fetch origin ${{ github.base_ref }}
+          IMAGES=$(git diff origin/${{ github.base_ref }}...HEAD -- '*.nomad.hcl' \
+            | grep '^+\s*image\s*=' \
+            | grep -oP '"[^"]+:[^"]+"' \
+            | tr -d '"' \
+            | sort -u)
+
+          if [ -z "$IMAGES" ]; then
+            echo "No image changes detected, skipping pull."
+            exit 0
+          fi
+
+          FAILED=0
+          while IFS= read -r image; do
+            echo "==> Pulling $image"
+            if ! docker pull "$image"; then
+              echo "ERROR: Failed to pull $image"
+              FAILED=1
+            fi
+          done <<< "$IMAGES"
+
+          exit $FAILED
diff --git a/2-nomad-config/act-runner.nomad.hcl b/2-nomad-config/act-runner.nomad.hcl
index c082d72..8abd6d2 100644
--- a/2-nomad-config/act-runner.nomad.hcl
+++ b/2-nomad-config/act-runner.nomad.hcl
@@ -29,7 +29,6 @@ job "act-runner" {
 
       env = {
         GITEA_INSTANCE_URL = "https://gitea-1ef0bea6b75a4fd3e9393a9f7f7e4b02.othrayte.one"
-        CONFIG_FILE        = "/secrets/runner-config.yml"
       }
 
       # Required SOPS key:
@@ -43,19 +42,6 @@ EOF
         env         = true
       }
 
-      # Limit which images/labels the runner will accept so it doesn't pick up
-      # unrelated workloads if more runners are added later.
-      template {
-        data        = <<EOF
-runner:
-  labels:
-    - "ubuntu-latest:docker://node:20-bookworm"
-    - "ubuntu-22.04:docker://node:20-bookworm"
-    - "ubuntu-24.04:docker://node:20-bookworm"
-EOF
-        destination = "secrets/runner-config.yml"
-      }
-
       resources {
         cpu        = 200
         memory     = 256
diff --git a/cicd-plan.md b/cicd-plan.md
index 059d15f..98416b2 100644
--- a/cicd-plan.md
+++ b/cicd-plan.md
@@ -296,7 +296,7 @@ exit 1
 - [x] **Phase 1a**: Create `act-runner.nomad.hcl` + Terraform wrapper, register runner token in Gitea, get a hello-world workflow green
 - [x] **Phase 1b**: Add `terraform fmt` + `terraform validate -backend=false` workflow — no secrets needed
 - [x] **Phase 1c**: Add Nomad validate step — add `NOMAD_ADDR` + read-only `NOMAD_TOKEN` to Gitea secrets
-- [ ] **Phase 2**: Add image pull validation step to the workflow
+- [x] **Phase 2**: Add image pull validation step to the workflow
 - [ ] **Phase 3a**: Add `update` stanzas to ntfy and glance (simplest, no volume conflict)
 - [ ] **Phase 3b**: Add rolling `update` stanzas to remaining service jobs (jellyfin, sonarr, etc.)
 - [ ] **Phase 3c**: Add health checks to openreader and unifi before adding update stanzas