diff --git a/pkg/workflow/action_pins.go b/pkg/workflow/action_pins.go
index 12aa97a6d77..0d879ef0add 100644
--- a/pkg/workflow/action_pins.go
+++ b/pkg/workflow/action_pins.go
@@ -82,6 +82,20 @@ func getEmbeddedContainerPin(image string) (actionpins.ContainerPin, bool) {
 	return actionpins.GetContainerPin(image)
 }
 
+// lookupContainerPin returns the ContainerPin for the given image, checking cache first
+// then falling back to embedded pins. Returns false if the image is not pinned.
+func lookupContainerPin(image string, cache *ActionCache) (ContainerPin, bool) {
+	if cache != nil {
+		if pin, ok := cache.GetContainerPin(image); ok {
+			return pin, true
+		}
+	}
+	if pin, ok := getEmbeddedContainerPin(image); ok {
+		return ContainerPin(pin), true
+	}
+	return ContainerPin{}, false
+}
+
 // getActionPinWithData returns the pinned action reference for a given action@version,
 // delegating to pkg/actionpins with a PinContext built from WorkflowData.
 func getActionPinWithData(actionRepo, version string, data *WorkflowData) (string, error) {
diff --git a/pkg/workflow/awf_helpers.go b/pkg/workflow/awf_helpers.go
index 472e366fe89..926e2e44c19 100644
--- a/pkg/workflow/awf_helpers.go
+++ b/pkg/workflow/awf_helpers.go
@@ -437,13 +437,12 @@ func buildAWFImageTagWithDigests(imageTag string, workflowData *WorkflowData) st
 // resolveContainerDigest resolves a container image digest from cache first, then
 // falls back to embedded container pins.
 func resolveContainerDigest(image string, workflowData *WorkflowData) string {
-	if workflowData != nil && workflowData.ActionCache != nil {
-		if pin, ok := workflowData.ActionCache.GetContainerPin(image); ok && pin.Digest != "" {
-			return pin.Digest
-		}
+	var cache *ActionCache
+	if workflowData != nil {
+		cache = workflowData.ActionCache
 	}
-	if embeddedPin, ok := getEmbeddedContainerPin(image); ok && embeddedPin.Digest != "" {
-		return embeddedPin.Digest
+	if pin, ok := lookupContainerPin(image, cache); ok && pin.Digest != "" {
+		return pin.Digest
 	}
 	return ""
 }
diff --git a/pkg/workflow/docker.go b/pkg/workflow/docker.go
index b9f3328e47d..d485e483502 100644
--- a/pkg/workflow/docker.go
+++ b/pkg/workflow/docker.go
@@ -205,18 +205,10 @@ func applyContainerPins(images []string, workflowData *WorkflowData) ([]string,
 	}
 
 	for i, img := range images {
-		if cache != nil {
-			if pin, ok := cache.GetContainerPin(img); ok && pin.PinnedImage != "" {
-				result[i] = pin.PinnedImage
-				pins[i] = GHAWManifestContainer(pin)
-				dockerLog.Printf("Pinned container image: %s -> %s", img, pin.PinnedImage)
-				continue
-			}
-		}
-		if embeddedPin, ok := getEmbeddedContainerPin(img); ok && embeddedPin.PinnedImage != "" {
-			result[i] = embeddedPin.PinnedImage
-			pins[i] = GHAWManifestContainer(embeddedPin)
-			dockerLog.Printf("Pinned container image from embedded pins: %s -> %s", img, embeddedPin.PinnedImage)
+		if pin, ok := lookupContainerPin(img, cache); ok && pin.PinnedImage != "" {
+			result[i] = pin.PinnedImage
+			pins[i] = GHAWManifestContainer(pin)
+			dockerLog.Printf("Pinned container image: %s -> %s", img, pin.PinnedImage)
 			continue
 		}
 		result[i] = img