diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..1129504
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,8 @@
+__pycache__/
+.venv
+.git
+output
+build
+.ruff_cache
+.pytest_cache
+.mypy_cache
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 2033cb1..7af841d 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -144,3 +144,53 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           password: ${{ secrets.PYPI_API_TOKEN }}
+
+  publish_image:
+    runs-on: ubuntu-latest
+    needs: [test_and_build]
+    if: github.event.repository.fork == false && startsWith(github.ref, 'refs/tags')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Download build artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: wheel2deb_linux_amd64
+
+      - name: Set execute permission
+        run: chmod +x wheel2deb_linux_amd64
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set docker image tags and labels
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/upciti/wheel2deb
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=branch
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          build-args: |
+            WHEEL2DEB_PATH=wheel2deb_linux_amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Check Docker image
+        run: docker run --rm -i ghcr.io/${{ github.event.repository.full_name }}:latest --help
+
+      - name: Publish Docker image
+        run: |
+          docker push --all-tags ghcr.io/${{ github.event.repository.full_name }}
diff --git a/Dockerfile b/Dockerfile
index c0a82bc..48d9a87 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,40 +1,20 @@
-FROM python:3.8-buster AS builder
-RUN apt-get -yq update \
- && apt-get -yq --no-install-suggests --no-install-recommends install \
-    git \
- && apt-get clean
-COPY . /src
-RUN cd src && python3 setup.py bdist_wheel
-
+FROM wakemeops/debian:bookworm
 
-FROM debian:buster AS base
+ARG WHEEL2DEB_PATH="dist/wheel2deb"
+COPY ${WHEEL2DEB_PATH} /usr/local/bin/wheel2deb
 
-RUN dpkg --add-architecture armhf \
- && apt-get -yq update \
- && apt-get -yq --no-install-suggests --no-install-recommends install \
-    libc6:armhf \
-    binutils-arm-linux-gnueabihf \
+RUN install_packages \
     build-essential \
-    debhelper \
-    devscripts \
     fakeroot \
-    lintian \
-    apt-file \
-    python3-distutils \
-    python3-apt \
-    curl \
- && apt-get clean
-
-RUN curl -nSL https://bootstrap.pypa.io/get-pip.py > /tmp/get-pip.py \
-    && chmod +x /tmp/get-pip.py \
-    && python3 /tmp/get-pip.py \
-    && rm /tmp/get-pip.py
-
-RUN pip3 install --no-cache-dir pytest pytest-cov
+    debhelper \
+    binutils-arm-linux-gnueabihf \
+    binutils-aarch64-linux-gnu \
+    git \
+    ca-certificates \
+    apt-file
 
-COPY --from=builder /src/dist/*.whl /
-RUN pip3 install --no-cache-dir /*.whl && rm /*.whl
+RUN dpkg --add-architecture armhf && \
+    dpkg --add-architecture arm64
 
-VOLUME /data
-WORKDIR /data
 ENTRYPOINT ["wheel2deb"]
+USER 1000