diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dece75b3..f9db2adb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -65,16 +65,16 @@ jobs:
       - name: Integration tests
         run: |
           set -xeu
-          # Build images to test; TODO investigate doing single container builds
-          # via GHA and pushing to a temporary registry to share among workflows?
-          # Preserve rustup/cargo environment for sudo (rustup needs RUSTUP_HOME to find toolchains)
-          sudojust() { sudo env PATH="$PATH" CARGO_HOME="${CARGO_HOME:-$HOME/.cargo}" RUSTUP_HOME="${RUSTUP_HOME:-$HOME/.rustup}" just "$@"; }
-          sudojust build
-          sudojust build-install-test-image
+          # Build images as regular user, then copy to root's podman storage
+          # This avoids cargo cache permission issues when running cargo as root
+          just build
+          just build-install-test-image
+          just copy-to-rootful localhost/bootc
+          just copy-to-rootful localhost/bootc-install
+          # Copy bound images (LBI) to root's storage for tests that need them
+          just copy-lbi-to-rootful
           sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity
 
-          # Grant permission
-          sudo chown -R "$(id -u):$(id -g)" /home/runner/work/bootc/bootc
           # TODO move into a container, and then have this tool run other containers
           cargo build --release -p tests-integration
 
diff --git a/Justfile b/Justfile
index e3997ba9..dc865a38 100644
--- a/Justfile
+++ b/Justfile
@@ -282,3 +282,47 @@ _keygen:
 
 _build-upgrade-image:
     cat tmt/tests/Dockerfile.upgrade | podman build -t {{upgrade_img}} --from={{base_img}} -
+
+# Copy an image from user podman storage to root's podman storage
+# This allows building as regular user then running privileged tests
+[group('testing')]
+copy-to-rootful $image:
+    #!/bin/bash
+    set -euxo pipefail
+
+    # If already running as root, nothing to do
+    if [[ "${UID}" -eq "0" ]]; then
+        echo "Already root, no need to copy image"
+        exit 0
+    fi
+
+    # Check if the image exists in user storage
+    if ! podman image exists "${image}"; then
+        echo "Image ${image} not found in user podman storage" >&2
+        exit 1
+    fi
+
+    # Get the image ID from user storage
+    USER_IMG_ID=$(podman images --filter reference="${image}" --format '{{{{.ID}}')
+
+    # Check if the same image ID exists in root storage
+    ROOT_IMG_ID=$(sudo podman images --filter reference="${image}" --format '{{{{.ID}}' 2>/dev/null || true)
+
+    if [[ "${USER_IMG_ID}" == "${ROOT_IMG_ID}" ]] && [[ -n "${ROOT_IMG_ID}" ]]; then
+        echo "Image ${image} already exists in root storage with same ID"
+        exit 0
+    fi
+
+    # Copy the image from user to root storage
+    # Use podman save/load via pipe (works on systems without machinectl)
+    podman save "${image}" | sudo podman load
+    echo "Copied ${image} to root podman storage"
+
+# Copy all LBI (bound) images to root's podman storage
+[group('testing')]
+copy-lbi-to-rootful:
+    #!/bin/bash
+    set -euxo pipefail
+    for img in {{lbi_images}}; do
+        just copy-to-rootful "$img"
+    done