diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b66a8ad7d56f4ac57c671a91ed8f44e272689577..4ee2f661b0efce6c63081b521bb67257ae47429b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -116,7 +116,18 @@ check-semantic-version:
   script:
     - echo -n "$CI_COMMIT_TAG" | ./.gitlab/scripts/check-semantic-version.sh
 
-gitlab-opentofu-image:build:
+.gitlab-opentofu-image:build:base:rules: &gitlab-opentofu-image-build-base-rules
+  - if: $CI_COMMIT_TAG
+  - changes:
+      - Dockerfile.*
+      - .dockerignore
+      - opentofu_versions.yaml
+      - .gitlab-ci.yml
+      - src/**/*
+      - templates/**/*
+      - tests/**/*
+
+.gitlab-opentofu-image:build:base:
   extends: '.image-matrix:build'
   stage: build
   image: quay.io/containers/buildah:v1.37.5
@@ -149,16 +160,22 @@ gitlab-opentofu-image:build:
       --manifest "$GITLAB_OPENTOFU_IMAGE_NAME"
       .
     - buildah manifest push --all "$GITLAB_OPENTOFU_IMAGE_NAME"
+
+gitlab-opentofu-image:build:
+  extends: '.gitlab-opentofu-image:build:base'
   rules:
-    - if: $CI_COMMIT_TAG
-    - changes:
-        - Dockerfile.*
-        - .dockerignore
-        - opentofu_versions.yaml
-        - .gitlab-ci.yml
-        - src/**/*
-        - templates/**/*
-        - tests/**/*
+    - if: $OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG
+      when: never
+    - *gitlab-opentofu-image-build-base-rules
+
+gitlab-opentofu-image:build:custom-runner:
+  extends: '.gitlab-opentofu-image:build:base'
+  tags:
+    - $OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG
+  rules:
+    - if: '$OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG == null || $OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG == ""'
+      when: never
+    - *gitlab-opentofu-image-build-base-rules
 
 check-versions:
   stage: test
@@ -237,7 +254,11 @@ gitlab-opentofu-image:deploy:
 
 gitlab-opentofu-image:deploy:dry-run:
   extends: ['.gitlab-opentofu-image:deploy:base']
-  needs: ['gitlab-opentofu-image:build']
+  needs:
+    - job: 'gitlab-opentofu-image:build'
+      optional: true
+    - job: 'gitlab-opentofu-image:build:custom-runner'
+      optional: true
   script:
     - echo "dry run"
   rules:
diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index 5665ef3316f29d53470336730cacffcbe157535d..28a0c49fe32afb2d80f3051c0bb4eb54fdae4be0 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -457,6 +457,9 @@ See also the official GitLab documentation for it
 If you want to save runner resources you may disable the unit and integration tests
 by setting the `SKIP_TESTS` CI/CD variable to `true`.
 
+You can set the `OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG` CI/CD variable to a custom runner tag
+to use for the image build job. This may be useful if you require a dedicated privileged runner.
+
 The pipeline of this component respects the
 [GitLab Dependency Proxy](https://docs.gitlab.com/ee/user/packages/dependency_proxy/) configuration
 by detecting the `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` environment variable
diff --git a/README.md b/README.md
index 4c6cdf7d86287b5bade105701298cefa05b821ed..06023aa86c75427dd7368efba237450c0becbba8 100644
--- a/README.md
+++ b/README.md
@@ -472,6 +472,9 @@ See also the official GitLab documentation for it
 If you want to save runner resources you may disable the unit and integration tests
 by setting the `SKIP_TESTS` CI/CD variable to `true`.
 
+You can set the `OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG` CI/CD variable to a custom runner tag
+to use for the image build job. This may be useful if you require a dedicated privileged runner.
+
 The pipeline of this component respects the
 [GitLab Dependency Proxy](https://docs.gitlab.com/ee/user/packages/dependency_proxy/) configuration
 by detecting the `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` environment variable