diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 3e78b87a..ed69e092 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -1,4 +1,8 @@
 on: pull_request
+
+# Explicitly grant the `secrets.GITHUB_TOKEN` no permissions.
+permissions: {}
+
 jobs:
   pre-commit:
     runs-on: ubuntu-20.04
@@ -70,3 +74,24 @@ jobs:
           node-version: '8.x'
       - name: Run frontend tests
         run: "npm install grunt-cli && npm install && grunt test"
+  build-dist-docker-image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build
+        uses: docker/build-push-action@v3
+        with:
+          file: Dockerfile
+          push: false # only build the image, don't push it anywhere
+          context: .
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
\ No newline at end of file
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index c311e7b7..06be3779 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -51,16 +51,42 @@ jobs:
         with:
           user: __token__
           password: ${{ secrets.pypi_password }}
-  build-and-publish-docker-image:
-    name: Build and publish docker image
+  build-and-publish-to-ghcr:
+    # Explicitly grant the `secrets.GITHUB_TOKEN` permissions.
+    permissions:
+      # Grant the ability to write to GitHub Packages (push Docker images to
+      # GitHub Container Registry).
+      packages: write
+    name: Build and publish Docker images to GitHub Container Registry
     runs-on: ubuntu-20.04
     steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@2.8
+      - uses: actions/checkout@v2
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          # This is the user that triggered the Workflow. In this case, it will
+          # either be the user whom created the Release or manually triggered
+          # the workflow_dispatch.
+          username: ${{ github.actor }}
+          # `secrets.GITHUB_TOKEN` is a secret that's automatically generated by
+          # GitHub Actions at the start of a workflow run to identify the job.
+          # This is used to authenticate against GitHub Container Registry.
+          # See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
+          # for more detailed information.
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v3
         with:
-          name: lyft/confidant
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-          tag_names: true
+          file: Dockerfile
+          context: .
+          push: true # push the image to ghcr
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}