diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 5d81c5a50..5640bd6ac 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,11 +1,11 @@
 name: Docker
 
-# on:
-#   push:
-#     branches: [main, release/**]
-#   pull_request:
-#   release:
-#     types: [published]
+on:
+  push:
+    branches: [main, release/**]
+  pull_request:
+  release:
+    types: [published]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_protected == 'true' && github.sha || github.ref }}
@@ -37,7 +37,7 @@ jobs:
           platform: linux/amd64
         - runs-on: ubuntu-jammy-16-cores-arm64
           platform: linux/arm64
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runs-on }}
     steps:
     - name: Prepare
       run: |
@@ -50,20 +50,31 @@ jobs:
       with:
         images: ${{ env.REGISTRY_IMAGE }}
 
+    # QEMU is needed if building arm64 on amd64, but it is commented because the
+    # build is currently configured to build each natively.
     # - name: Set up QEMU
     #   uses: docker/setup-qemu-action@v3
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
+    - name: Build
+      uses: docker/build-push-action@v6
+      with:
+        platforms: ${{ matrix.platform }}
+        labels: ${{ steps.meta.outputs.labels }}
+        outputs: type=docker,dest=/tmp/myimage.tar
+
     - name: Login to Docker Hub
+      if: github.event_name == 'release' && github.event.action == 'published'
       uses: docker/login-action@v3
       with:
-        username: ${{ vars.DOCKERHUB_USERNAME }}
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-    - name: Build and push by digest
-      id: build
+    - name: Push by digest
+      if: github.event_name == 'release' && github.event.action == 'published'
+      id: push
       uses: docker/build-push-action@v6
       with:
         platforms: ${{ matrix.platform }}
@@ -71,12 +82,14 @@ jobs:
         outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
 
     - name: Export digest
+      if: github.event_name == 'release' && github.event.action == 'published'
       run: |
         mkdir -p /tmp/digests
-        digest="${{ steps.build.outputs.digest }}"
+        digest="${{ steps.push.outputs.digest }}"
         touch "/tmp/digests/${digest#sha256:}"
 
     - name: Upload digest
+      if: github.event_name == 'release' && github.event.action == 'published'
       uses: actions/upload-artifact@v4
       with:
         name: digests-${{ env.PLATFORM_PAIR }}
@@ -85,9 +98,9 @@ jobs:
         retention-days: 1
 
   merge:
+    if: github.event_name == 'release' && github.event.action == 'published'
+    needs: [build]
     runs-on: ubuntu-latest
-    needs:
-    - build
     steps:
     - name: Download digests
       uses: actions/download-artifact@v4
@@ -108,7 +121,7 @@ jobs:
     - name: Login to Docker Hub
       uses: docker/login-action@v3
       with:
-        username: ${{ vars.DOCKERHUB_USERNAME }}
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Create manifest list and push