diff --git a/.github/workflows/deploy_backend_dev.yml b/.github/workflows/deploy_backend_dev.yml
index e793025..2c23dfc 100644
--- a/.github/workflows/deploy_backend_dev.yml
+++ b/.github/workflows/deploy_backend_dev.yml
@@ -9,14 +9,38 @@ concurrency:
   group: deploy-backend-dev
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
-  deploy:
+  build-and-push:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          push: true
+          tags: ghcr.io/scimma/heroic:dev
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build-and-push
+
+    steps:
       - name: Prepare SSH
         shell: bash
         run: |
@@ -59,28 +83,33 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          GHCR_TOKEN="${{ secrets.GITHUB_TOKEN }}"
+          GHCR_ACTOR="${{ github.actor }}"
           ssh -i ~/.ssh/id_deploy \
               -o IdentitiesOnly=yes \
               -o BatchMode=yes \
               "${{ secrets.DEV_SSH_USER }}@${{ secrets.DEV_SSH_HOST }}" \
-              'bash -se' <<'REMOTE'
+              "GHCR_TOKEN=${GHCR_TOKEN} GHCR_ACTOR=${GHCR_ACTOR} bash -se" <<'REMOTE'
           set -euo pipefail
 
           DEPLOY_PATH="$HOME/heroic"
           FRONTEND_PATH="$HOME/heroic-frontend"
+          HEROIC_IMAGE="ghcr.io/scimma/heroic:dev"
 
           cd "$DEPLOY_PATH"
           git fetch origin --prune
           git checkout development
           git reset --hard origin/development
 
+          echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_ACTOR" --password-stdin
+
           if [ -d "$FRONTEND_PATH" ]; then
             (cd "$FRONTEND_PATH" && docker compose down) || true
           fi
 
           docker compose -f docker-compose.yml -f docker-compose.dev.yml down --remove-orphans
-          docker compose -f docker-compose.yml -f docker-compose.dev.yml build
-          docker compose -f docker-compose.yml -f docker-compose.dev.yml up -d
+          HEROIC_IMAGE="$HEROIC_IMAGE" docker compose -f docker-compose.yml -f docker-compose.dev.yml pull
+          HEROIC_IMAGE="$HEROIC_IMAGE" docker compose -f docker-compose.yml -f docker-compose.dev.yml up -d
 
           if [ -d "$FRONTEND_PATH" ]; then
             (cd "$FRONTEND_PATH" && docker compose up --no-build -d) || true
@@ -88,7 +117,7 @@ jobs:
 
           sleep 20
 
-          docker compose -f docker-compose.yml -f docker-compose.dev.yml exec -T backend poetry run python manage.py collectstatic --noinput
+          HEROIC_IMAGE="$HEROIC_IMAGE" docker compose -f docker-compose.yml -f docker-compose.dev.yml exec -T backend poetry run python manage.py collectstatic --noinput
 
           REMOTE
 
diff --git a/.github/workflows/deploy_backend_prod.yml b/.github/workflows/deploy_backend_prod.yml
index 08224e7..34acf3e 100644
--- a/.github/workflows/deploy_backend_prod.yml
+++ b/.github/workflows/deploy_backend_prod.yml
@@ -9,14 +9,44 @@ concurrency:
   group: deploy-backend-prod
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
-  deploy:
+  build-and-push:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version tag
+        id: tag
+        run: echo "version=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          push: true
+          tags: |
+            ghcr.io/scimma/heroic:${{ steps.tag.outputs.version }}
+            ghcr.io/scimma/heroic:latest
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build-and-push
+
+    steps:
       - name: Prepare SSH
         shell: bash
         run: |
@@ -59,15 +89,19 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          GHCR_TOKEN="${{ secrets.GITHUB_TOKEN }}"
+          GHCR_ACTOR="${{ github.actor }}"
+          VERSION="${{ github.ref_name }}"
           ssh -i ~/.ssh/id_deploy \
               -o IdentitiesOnly=yes \
               -o BatchMode=yes \
               "${{ secrets.PROD_SSH_USER }}@${{ secrets.PROD_SSH_HOST }}" \
-              'bash -se' <<'REMOTE'
+              "GHCR_TOKEN=${GHCR_TOKEN} GHCR_ACTOR=${GHCR_ACTOR} VERSION=${VERSION} bash -se" <<'REMOTE'
           set -euo pipefail
 
           DEPLOY_PATH="$HOME/heroic"
           FRONTEND_PATH="$HOME/heroic-frontend"
+          HEROIC_IMAGE="ghcr.io/scimma/heroic:${VERSION}"
 
           cd "$DEPLOY_PATH"
           git fetch origin --prune
@@ -75,13 +109,15 @@ jobs:
           git checkout main
           git reset --hard origin/main
 
+          echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_ACTOR" --password-stdin
+
           if [ -d "$FRONTEND_PATH" ]; then
             (cd "$FRONTEND_PATH" && docker compose down) || true
           fi
 
           docker compose -f docker-compose.yml -f docker-compose.prod.yml down --remove-orphans
-          docker compose -f docker-compose.yml -f docker-compose.prod.yml build
-          docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
+          HEROIC_IMAGE="$HEROIC_IMAGE" docker compose -f docker-compose.yml -f docker-compose.prod.yml pull
+          HEROIC_IMAGE="$HEROIC_IMAGE" docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
 
           if [ -d "$FRONTEND_PATH" ]; then
             (cd "$FRONTEND_PATH" && docker compose up --no-build -d) || true
@@ -89,7 +125,7 @@ jobs:
 
           sleep 20
 
-          docker compose -f docker-compose.yml -f docker-compose.prod.yml exec -T backend poetry run python manage.py collectstatic --noinput
+          HEROIC_IMAGE="$HEROIC_IMAGE" docker compose -f docker-compose.yml -f docker-compose.prod.yml exec -T backend poetry run python manage.py collectstatic --noinput
 
           REMOTE
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 990a60e..4fa2e65 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -30,10 +30,7 @@ services:
       - redis_data:/data
 
   backend:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    image: heroic
+    image: ${HEROIC_IMAGE:-heroic}
     restart: always
     env_file:
       - .env
@@ -54,10 +51,7 @@ services:
       - heroic_net
 
   ingestor:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    image: heroic
+    image: ${HEROIC_IMAGE:-heroic}
     command: ["python", "manage.py", "readstreams"]
     restart: always
     env_file:
@@ -76,10 +70,7 @@ services:
       - heroic_net
 
   dramatiq_task_scheduler:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    image: heroic
+    image: ${HEROIC_IMAGE:-heroic}
     env_file:
       - .env
     environment:
@@ -100,10 +91,7 @@ services:
       - heroic_net
 
   dramatiq_worker:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    image: heroic
+    image: ${HEROIC_IMAGE:-heroic}
     env_file:
       - .env
     environment: