diff --git a/.ci/docker-package-push.sh b/.ci/docker-package-push.sh
deleted file mode 100755
index 920ad40..0000000
--- a/.ci/docker-package-push.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-#
-# Build the docker image for the mutating webhook and push it to the given
-# docker registry.
-#
-# Arguments:
-# - REPO: the docker repo name
-# - NAME: the docker image name
-# - TAG: the docker tag version
-# - SHORT_GIT_SHA: whether to short the git sha, aka the given TAG argument.
-
-set -euo pipefail
-
-export REPO=${1:?docker repo not set}
-export NAME=${2:?docker image name not set}
-export TAG=${3:?docker tag not set}
-export SHORT_GIT_SHA=${4:-false}
-
-# Use the short git SHA
-if [ "$SHORT_GIT_SHA" == "true" ] ; then
-	TAG=${TAG:0:7}
-fi
-
-fqn="${REPO}/${NAME}:${TAG}"
-latest="${REPO}/${NAME}:latest"
-
-echo "INFO: Build docker image ${fqn}"
-make .webhook
-
-echo "INFO: Push docker image ${fqn}"
-docker push "${fqn}"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4c0ff68..0833f72 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,8 +23,8 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
@@ -36,12 +36,13 @@ jobs:
           gofmt -l . | read && echo "Code differs from gofmt's style. Run 'gofmt -w .'" 1>&2 && exit 1 || true
       - name: Go vet
         run: go vet
+      - run: ./scripts/lint-versions.sh
   notice:
     name: NOTICE.txt
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
@@ -55,8 +56,8 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
@@ -68,8 +69,8 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
@@ -89,6 +90,6 @@ jobs:
     name: Package
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Package
         run: make .webhook
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 5cbefad..9abcb3d 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -68,13 +68,15 @@ jobs:
         with:
           version: v3.11.2
 
-      - name: Install webhook
-        run:
-          cd charts;
-          helm install webhook-chart apm-attacher/ --namespace=elastic-apm --create-namespace --values ../test/mock/test_values.yaml;
-          sleep 5;
-          export CHART_SERVICE=`kubectl get pods -A | grep 'webhook-chart' | awk -F ' ' '{print $2}'` ;
-          sh ../test/mock/wait_for_container_start.sh $CHART_SERVICE elastic-apm;
+      - name: Build and install webhook
+        run: |
+          make .webhook  # builds "apm/apm-attacher:latest" Docker image
+          docker tag apm/apm-attacher:latest localhost:5001/apm-attacher:latest
+          docker push localhost:5001/apm-attacher:latest
+          helm install webhook-chart ./charts/apm-attacher/ --namespace=elastic-apm --create-namespace --values test/mock/test_values.yaml
+          sleep 5
+          export POD_NAME=`kubectl get pods -A | grep 'webhook-chart' | awk -F ' ' '{print $2}'`
+          sh test/mock/wait_for_container_start.sh $POD_NAME
 
       - name: Start Test Images
         run: |
diff --git a/.github/workflows/opentelemetry.yml b/.github/workflows/opentelemetry.yml
index fa9c564..9580090 100644
--- a/.github/workflows/opentelemetry.yml
+++ b/.github/workflows/opentelemetry.yml
@@ -5,7 +5,7 @@ on:
   workflow_run:
     workflows:
       - ci
-      - publish
+      - release
     types: [completed]
 
 jobs:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
deleted file mode 100644
index db84523..0000000
--- a/.github/workflows/publish.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-
-name: publish
-
-on:
-  push:
-    branches:
-      - main
-
-# Limit the access of the generated GITHUB_TOKEN
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-
-jobs:
-  publish:
-    name: Publish
-    runs-on: ubuntu-latest
-    env:
-      DOCKER_REGISTRY: docker.elastic.co
-      DOCKER_SECRET: secret/observability-team/ci/docker-registry/prod
-      DOCKER_IMAGE_NAME: apm-attacher
-    steps:
-      - uses: actions/checkout@v3
-      - uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          secret: ${{ env.DOCKER_SECRET }}
-          url: ${{ secrets.VAULT_ADDR }}
-          roleId: ${{ secrets.VAULT_ROLE_ID }}
-          secretId: ${{ secrets.VAULT_SECRET_ID }}
-      - name: Package & Publish
-        run: |
-          ./.ci/docker-package-push.sh ${DOCKER_REGISTRY}/observability ${DOCKER_IMAGE_NAME} ${{ github.sha }} true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a61e66a..bfa199b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,9 +15,9 @@ jobs:
     env:
       DOCKER_REGISTRY: docker.elastic.co
       DOCKER_SECRET: secret/observability-team/ci/docker-registry/prod
-      DOCKER_IMAGE_NAME: apm-attacher
+      DOCKER_IMAGE_NAME: observability/apm-attacher
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
@@ -25,9 +25,12 @@ jobs:
           url: ${{ secrets.VAULT_ADDR }}
           roleId: ${{ secrets.VAULT_ROLE_ID }}
           secretId: ${{ secrets.VAULT_SECRET_ID }}
-      - name: Package & Publish
+      - name: Docker build, tag, and push
         run: |
-          ./.ci/docker-package-push.sh ${DOCKER_REGISTRY}/observability ${DOCKER_IMAGE_NAME} ${{ github.ref_name }}
+          make .webhook REPO=${DOCKER_REGISTRY} NAME=${DOCKER_IMAGE_NAME} TAG=${{ github.ref_name }}
+          docker push ${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:${{ github.ref_name }}
+          docker tag ${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:${{ github.ref_name }} ${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:latest
+          docker push ${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:latest
 
   release-helm-charts:
     name: Release Helm Charts
@@ -52,12 +55,11 @@ jobs:
       # Needed to create the release notes
       contents: write
     steps:
-      - uses: actions/checkout@v3
-      - name: make release-notes
+      - uses: actions/checkout@v4
+      - run: make -C .ci release-notes
         env:
           BRANCH_NAME: ${{ github.ref_name }}
           GH_TOKEN: ${{ github.token }}
-        run: make -C .ci release-notes
 
   status:
     if: always()
diff --git a/Makefile b/Makefile
index 96ad32d..6cff180 100644
--- a/Makefile
+++ b/Makefile
@@ -28,6 +28,7 @@ update-licenses:
 lint:
 	go run $(GO_CI_LINT) version
 	go run $(GO_CI_LINT) run
+	./scripts/lint-versions.sh
 
 .webhook: *.go Dockerfile
 	docker build --build-arg GO_VERSION=$(shell cat .go-version) -t $(REPO)/$(NAME):$(TAG) .
diff --git a/RELEASING.md b/RELEASING.md
new file mode 100644
index 0000000..7fa0c9c
--- /dev/null
+++ b/RELEASING.md
@@ -0,0 +1,28 @@
+# How to release apm-k8s-attacher
+
+0. Make sure everything is working by testing "main". (TODO: Clarify a manual testing procedure if one is required beyond automated tests.)
+1. Create a PR for the release (named "release N.M.P" or whatever):
+    - Update the `version:` at "./charts/apm-attacher/Chart.yaml", e.g. "1.2.3".
+    - Update the `image.tag:` at "./charts/apm-attacher/values.yaml", e.g. "v1.2.3".
+      Note that this file includes a "v" prefix in the version.
+    Get the PR approved and merged.
+2. Working in a clone of the actual repo (not a fork), lightweight tag the repo:
+    ```
+    git tag vN.M.P
+    git push origin vN.M.P
+    ```
+3. Sanity check that the release worked:
+    - The release CI should trigger on the pushed tag. Check https://github.com/elastic/apm-k8s-attacher/actions/workflows/release.yml
+    - https://github.com/elastic/apm-k8s-attacher/releases should show the new release.
+    - The Elastic Docker registry should show the new `docker.elastic.co/observability/apm-attacher:vN.M.P` version
+      and the "latest" tag should pull the same digest
+        ```
+        docker pull docker.elastic.co/observability/apm-attacher:vN.M.P
+        docker pull docker.elastic.co/observability/apm-attacher:latest  # same digest?
+        ```
+    - The Elastic Helm repository should show the new release, though it may take a while (an hour?) to show up:
+        ```
+        helm repo add elastic https://helm.elastic.co
+        helm repo update elastic
+        helm search repo -l elastic/apm-attacher
+        ```
diff --git a/charts/apm-attacher/Chart.yaml b/charts/apm-attacher/Chart.yaml
index 06c97d4..80d124b 100644
--- a/charts/apm-attacher/Chart.yaml
+++ b/charts/apm-attacher/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: apm-attacher
 type: application
-version: "0.4.0"
+version: "0.5.0"
 description: A Helm chart installing the Elastic APM Kubernetes Attacher.
 sources:
   - https://github.com/elastic/apm-k8s-attacher
diff --git a/charts/apm-attacher/values.yaml b/charts/apm-attacher/values.yaml
index 5cabcdc..f07a205 100644
--- a/charts/apm-attacher/values.yaml
+++ b/charts/apm-attacher/values.yaml
@@ -1,6 +1,6 @@
 image:
   repository: docker.elastic.co/observability/apm-attacher
-  tag: latest
+  tag: "v0.5.0"
   pullPolicy: Always
   pullSecrets: []
 
@@ -41,6 +41,6 @@ webhookConfig:
       environment:
         CORECLR_ENABLE_PROFILING: "1"
         CORECLR_PROFILER: "{FA65FE15-F085-4681-9B20-95E04F6C03CC}"
-        CORECLR_PROFILER_PATH: "/usr/agent/apm-dotnet-agent/libelastic_apm_profiler.so" 
+        CORECLR_PROFILER_PATH: "/usr/agent/apm-dotnet-agent/libelastic_apm_profiler.so"
         ELASTIC_APM_PROFILER_HOME: "/usr/agent/apm-dotnet-agent"
         ELASTIC_APM_PROFILER_INTEGRATIONS: "/usr/agent/apm-dotnet-agent/integrations.yml"
diff --git a/scripts/lint-versions.sh b/scripts/lint-versions.sh
new file mode 100755
index 0000000..6037558
--- /dev/null
+++ b/scripts/lint-versions.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 Elasticsearch BV
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Doing a release involves updating the version in two places. This script
+# ensures those versions match.
+
+if [ "$TRACE" != "" ]; then
+    export PS4='${BASH_SOURCE}:${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
+    set -o xtrace
+fi
+set -o errexit
+set -o pipefail
+
+TOP=$(unset CDPATH; cd $(dirname $0)/../; pwd)
+
+function fatal {
+    echo "$(basename $0): error: $*"
+    exit 1
+}
+
+CHART_PATH=charts/apm-attacher/Chart.yaml
+CHART_VER=$(grep "^version:" "$TOP/$CHART_PATH" | cut -d'"' -f2)
+VALUES_PATH=charts/apm-attacher/values.yaml
+VALUES_VER=$(grep "tag:" "$TOP/$VALUES_PATH" | cut -d'"' -f2)
+
+if [[ "${VALUES_VER:0:1}" != "v" ]]; then
+    fatal "tag value in $VALUES_PATH, '$VALUES_VER', does not start with a 'v'"
+fi
+if [[ "v$CHART_VER" != "$VALUES_VER" ]]; then
+    fatal "version in $CHART_PATH, '$CHART_VER', does not match tag in $VALUES_PATH, '$VALUES_VER'"
+fi
diff --git a/test/mock/test_values.yaml b/test/mock/test_values.yaml
index e3b6104..96cb224 100644
--- a/test/mock/test_values.yaml
+++ b/test/mock/test_values.yaml
@@ -1,15 +1,18 @@
+image:
+  repository: localhost:5001/apm-attacher
+  tag: "latest"
 apm:
   secret_token: YOUR_SECRET_TOKEN
-  namespaces: 
+  namespaces:
     - default
 webhookConfig:
   agents:
-    java: 
+    java:
       environment:
         ELASTIC_APM_SERVER_URL: "http://mock-apm-server-service:8027"
         ELASTIC_APM_ENVIRONMENT: "test"
         ELASTIC_APM_LOG_LEVEL: "DEBUG"
-    nodejs: 
+    nodejs:
       environment:
         ELASTIC_APM_SERVER_URL: "http://mock-apm-server-service:8027"
         ELASTIC_APM_ENVIRONMENT: "test"
diff --git a/test/mock/wait_for_container_start.sh b/test/mock/wait_for_container_start.sh
index 62af7a3..75f3179 100644
--- a/test/mock/wait_for_container_start.sh
+++ b/test/mock/wait_for_container_start.sh
@@ -1,7 +1,9 @@
 #!/bin/sh
+
 MAX_WAIT_SECONDS=60
 POD_NAME=$1
-echo "Waiting up to $MAX_WAIT_SECONDS seconds for pod $1 to start"
+
+echo "Waiting up to $MAX_WAIT_SECONDS seconds for pod $POD_NAME to start"
 count=0
 while [ $count -lt $MAX_WAIT_SECONDS ]
 do
@@ -13,4 +15,9 @@ do
   fi
   sleep 1
 done
+
+echo "error: pod matching '$POD_NAME' failed to start within $MAX_WAIT_SECONDS seconds"
+echo "-- pod info:"
+kubectl get pod -A
+echo "--"
 exit 1