diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 8cafba338b..62c1925e1c 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -103,29 +103,107 @@ jobs:
           max_attempts: 3
           command: mise run test
   dockerhub:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.platform.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - os: ubuntu-latest
+            tag_suffix: amd64
+            platform: linux/amd64
+          - os: ubuntu-24.04-arm
+            tag_suffix: arm64
+            platform: linux/arm64
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            jdxcode/mise
+            ghcr.io/jdx/mise
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: jdxcode
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Log in to Docker Hub
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,"name=jdxcode/mise,ghcr.io/jdx/mise",push-by-digest=true,name-canonical=true,push=true
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+  merge:
+    runs-on: ubuntu-latest
+    needs: [dockerhub]
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+      - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
+          username: jdxcode
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Extract metadata (tags, labels) for Docker
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: jdx
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: jdxcode/mise
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: jdxcode/mise:latest,jdxcode/mise:${{ github.ref_name }}
-          labels: ${{ steps.meta.outputs.labels }}
+          images: |
+            jdxcode/mise
+            ghcr.io/jdx/mise
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'jdxcode/mise:${{ github.ref_name }}@sha256:%s ' *)
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/jdx/mise:${{ github.ref_name }}@sha256:%s ' *)
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect jdxcode/mise:${{ steps.meta.outputs.version }}
+          docker buildx imagetools inspect ghcr.io/jdx/mise:${{ steps.meta.outputs.version }}
\ No newline at end of file
diff --git a/mise.lock b/mise.lock
index fe990483ab..03e4c80b70 100644
--- a/mise.lock
+++ b/mise.lock
@@ -1,12 +1,9 @@
 [tools.actionlint]
-version = "1.7.6"
+version = "1.7.7"
 backend = "aqua:rhysd/actionlint"
 
 [tools.actionlint.checksums]
-actionlint-linux-x86_64 = "sha256:bf567ce887b8b045fdd6001411aea1971e90a49e4f5172801fb648902843c9ec"
-actionlint-macos-aarch64 = "sha256:baa69aa6ae140310d9d86127d916abd42cd2ad446aef0a04f2a7fe7f54da7d67"
-"actionlint_1.7.6_darwin_arm64.tar.gz" = "sha256:9a7c9cb2b627bb137ef68742eead2dd5b78f3ddc44876e84c37d323ba28b4710"
-"actionlint_1.7.6_linux_amd64.tar.gz" = "sha256:5d1a70d9de15fee5371e6f9e20cc29b284e814d6ee1b882f9749e91caf716eba"
+"actionlint_1.7.7_darwin_arm64.tar.gz" = "sha256:2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db"
 
 [tools.bun]
 version = "1.1.44"
diff --git a/packaging/mise/Dockerfile b/packaging/mise/Dockerfile
index 778973f167..7f0236b423 100644
--- a/packaging/mise/Dockerfile
+++ b/packaging/mise/Dockerfile
@@ -1,6 +1,9 @@
 # syntax=docker/dockerfile:1
 FROM rust AS builder
 LABEL maintainer="jdx"
+LABEL org.opencontainers.image.source=https://github.com/jdx/mise
+LABEL org.opencontainers.image.description="mise is a tool for managing your development environment"
+LABEL org.opencontainers.image.licenses=MIT
 
 WORKDIR /usr/src/mise
 COPY . /usr/src/mise/