diff --git a/Dockerfile b/Dockerfile
index 5a398a9..8d42dc2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,6 +52,9 @@ FROM ${PULL_URL}:${DISTRO_VERSION} AS build
 ARG TZ
 ARG USER
 ARG LICENSE
+# Optional: pass --build-arg GITHUB_TOKEN=$(gh auth token) to raise the API rate
+# limit from 60 to 5000 req/hr — avoids 403s in parallel multi-platform builds.
+ARG GITHUB_TOKEN=""
 ARG TIMEZONE
 ARG LANGUAGE
 ARG IMAGE_NAME
@@ -91,6 +94,7 @@ ENV GOTOOLCHAIN="auto"
 ENV GOFLAGS="-buildvcs=false"
 ENV GOTELEMETRY="off"
 ENV GOPROXY="https://proxy.golang.org,direct"
+ENV GITHUB_TOKEN="${GITHUB_TOKEN}"
 
 USER ${USER}
 WORKDIR /root
diff --git a/rootfs/root/docker/setup/05-custom.sh b/rootfs/root/docker/setup/05-custom.sh
index 809289e..14af04d 100755
--- a/rootfs/root/docker/setup/05-custom.sh
+++ b/rootfs/root/docker/setup/05-custom.sh
@@ -41,20 +41,29 @@ GOCACHE_BUILD="/tmp/go-build-cache"
 # - - - - - - - - - - - - - - - - - - - - - - - - -
 # Helpers
 
-# Return the latest release tag from GitHub; exits 1 if the version cannot be resolved
+# Return the latest release tag from GitHub; retries up to 3 times on transient errors
+# (rate-limit 403s are common in parallel multi-platform builds without a token).
+# Set GITHUB_TOKEN to raise the authenticated rate limit (5000 req/hr vs 60 req/hr).
 _gh_latest() {
   local repo="$1"
   local filter="${2:-.tag_name}"
   local auth_header=""
   [ -n "${GITHUB_TOKEN:-}" ] && auth_header="-H Authorization: token ${GITHUB_TOKEN}"
-  # shellcheck disable=SC2206
-  local ver
-  ver="$(curl -fsSL ${auth_header:+$auth_header} "https://api.github.com/repos/${repo}/releases/latest" | jq -r "${filter}")"
-  if [ -z "$ver" ] || [ "$ver" = "null" ]; then
-    echo "ERROR: could not resolve latest version for ${repo}" >&2
-    exit 1
-  fi
-  echo "$ver"
+  local ver attempt
+  for attempt in 1 2 3; do
+    # shellcheck disable=SC2206
+    ver="$(curl -fsSL ${auth_header:+$auth_header} "https://api.github.com/repos/${repo}/releases/latest" | jq -r "${filter}")"
+    if [ -n "$ver" ] && [ "$ver" != "null" ]; then
+      echo "$ver"
+      return 0
+    fi
+    if [ "$attempt" -lt 3 ]; then
+      echo "  rate-limited on ${repo} (attempt ${attempt}/3) — retrying in 60s..." >&2
+      sleep 60
+    fi
+  done
+  echo "ERROR: could not resolve latest version for ${repo} after 3 attempts" >&2
+  exit 1
 }
 
 # Download a tar.gz asset, find a named binary anywhere inside, install to GOBIN_DIR