diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index 263e86d..1b108e7 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -24,32 +24,40 @@ jobs:
         name: bin
         path: bin/
   docker-build-push:
-    if: github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: read
+      packages: write
+    env:
+      REGISTRY: "${{ github.repository == 'uswitch/vault-creds' && 'quay.io' || 'ghcr.io' }}"
+      IMAGE_NAME: "${{ github.repository == 'uswitch/vault-creds' && 'uswitch/vault-creds' || github.repository }}"
     needs: [test, build]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - uses: actions/download-artifact@v3
-      with:
-        name: bin
-        path: bin/
-    - name: Login to Quay.io
+
+    - name: Setup Docker buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to registry
       uses: docker/login-action@v3
       with:
-        registry: quay.io
-        username: ${{ secrets.QUAY_USERNAME }}
-        password: ${{ secrets.QUAY_PASSWORD }}
+        registry: ${{ env.REGISTRY }}
+        username: ${{ env.REGISTRY == 'quay.io' && secrets.QUAY_USERNAME || github.actor }}
+        password: ${{ env.REGISTRY == 'quay.io' && secrets.QUAY_PASSWORD || secrets.GITHUB_TOKEN }}
+
     - id: meta
       uses: docker/metadata-action@v4
       with:
-        images: quay.io/uswitch/vault-creds
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: |
           type=semver,pattern=v{{version}}
           type=sha,prefix=,format=long,
+
     - uses: docker/build-push-action@v4
       with:
         context: .
         labels: ${{ steps.meta.outputs.labels }}
-        push: true
+        platforms: linux/amd64,linux/arm64
+        push: ${{ github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v') }}
         tags: ${{ steps.meta.outputs.tags }}
-
+        build-args: LDFLAGS=-X main.SHA=${{ github.sha }}
diff --git a/Dockerfile b/Dockerfile
index a157e4d..3689480 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,12 +1,25 @@
-FROM alpine:3 as base
+FROM --platform=$BUILDPLATFORM golang:1.20-alpine AS builder
 
-RUN apk add -U --no-cache ca-certificates
+ARG TARGETOS
+ARG TARGETARCH
+ARG LDFLAGS
 
-FROM scratch
+# Install our build tools
+RUN apk add --update ca-certificates
 
-COPY --chmod=755 bin/vaultcreds /vaultcreds
+WORKDIR /go/src/app
 
-COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY . ./
+
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="$LDFLAGS" -o bin/vaultcreds cmd/main.go
+
+RUN echo "nonroot:x:1337:1337:nonroot:/nonroot:/usr/sbin/nologin" > /etc_passwd
+
+FROM --platform=$BUILDPLATFORM scratch
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /go/src/app/bin/* /
+COPY --from=builder /etc_passwd /etc/passwd
+
+USER nonroot
 
 ENTRYPOINT ["/vaultcreds"]
-CMD []