diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml
index 7d56631..cd5163e 100644
--- a/.github/workflows/maven-publish.yml
+++ b/.github/workflows/maven-publish.yml
@@ -10,9 +10,30 @@ jobs:
   image:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
     steps:
+      - name: Checkout
       - uses: actions/checkout@v4
 
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/ictu/pseudoniemenservice
+
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io/ictu/pseudoniemenservice
+          username: ictu
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up JDK
         uses: actions/setup-java@v4
         with:
@@ -21,4 +42,11 @@ jobs:
           cache: maven
 
       - name: Build with Maven
-        run: mvn -ntp -B spring-boot:build-image
+        run: mvn -ntp -B spring-boot:build-image -Dspring-boot.build-image.imageName=ghcr.io/ictu/pseudoniemenservice:latest
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          push: ${{ github.event_name != 'pull_request' }}
+        run: |
+          docker push --all-tags ghcr.io/${{ github.repository }}