diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ebfafe2..d36b9f7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,14 +12,16 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
     - id: set-matrix
-      run: echo "::set-output name=matrix::{\"include\":[{\"type\":\"amd64\",\"image\":\"amazon/aws-lambda-provided:al2\", \"arch\":\"x86_64\"},{\"type\":\"arm64\",\"image\":\"amazon/aws-lambda-provided:al2.2025.07.17.11-arm64\", \"arch\":\"arm64\"}]  }"
-
+      run: echo "matrix={\"include\":[{\"type\":\"amd64\",\"image\":\"amazon/aws-lambda-provided:al2\", \"arch\":\"x86_64\"},{\"type\":\"arm64\",\"image\":\"amazon/aws-lambda-provided:al2.2025.07.17.11-arm64\", \"arch\":\"arm64\"}]  }" >> $GITHUB_OUTPUT
 
   containers:
     needs: config
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       packages: write
+      attestations: write
+      id-token: write
     strategy:
       fail-fast: true
       matrix: ${{fromJson(needs.config.outputs.matrix)}}
@@ -69,8 +71,10 @@ jobs:
           if [[ $GITHUB_REF == refs/tags/* ]]; then
             VERSION=${GITHUB_REF/refs\/tags\//}
           fi
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=VERSION::${VERSION}
+
+          BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+          echo "BUILD_DATE=$BUILD_DATE" >> $GITHUB_OUTPUT
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
 
       # Extract metadata (tags, labels) for Docker
       # https://github.com/docker/metadata-action
@@ -79,21 +83,24 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: |
-            ghcr.io/pdal/pdal
-            docker.io/pdal/pdal
+            ghcr.io/pdal/lambda
           tags: |
             type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
       - name: Build image
         uses: docker/build-push-action@v6
         with:
+          id: push
           push: ${{ env.PUSH_PACKAGES == 'true' }}
           builder: ${{ steps.buildx.outputs.name }}
           context: .
-          file: ./Dockerfile
+          file: ./docker/Dockerfile.runner
           platforms: linux/${{ matrix.type}}
           build-args: |
             LAMBDA_IMAGE=${{ matrix.image }}
@@ -101,6 +108,7 @@ jobs:
           tags: |
             ghcr.io/pdal/lambda:${{ steps.prep.outputs.VERSION }}
             ghcr.io/pdal/lambda:latest
+          annotations: ${{ steps.meta.outputs.annotations }}
           labels: |
             org.opencontainers.image.title=${{ github.event.repository.name }}
             org.opencontainers.image.description=${{ github.event.repository.description }}
@@ -114,7 +122,8 @@ jobs:
         if: ${{ env.PUSH_PACKAGES == 'true' }}
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: ghcr.io/pdal/pdal
+
+          subject-name: ghcr.io/pdal/lambda
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: ${{ env.PUSH_PACKAGES == 'true' }}
 
diff --git a/docker/Dockerfile.runner b/docker/Dockerfile.runner
index c3317e3..0fc0766 100644
--- a/docker/Dockerfile.runner
+++ b/docker/Dockerfile.runner
@@ -1,7 +1,7 @@
 ARG LAMBDA_IMAGE="amazon/aws-lambda-provided:al2"
 ARG RIE_ARCH="amd64"
 
-FROM --platform=$TARGETPLATFORM condaforge/miniforge3:latest as condasetup
+FROM condaforge/miniforge3:latest AS condasetup
 LABEL MAINTAINER="Howard Butler <howard@hobu.co>"
 
 ARG TARGETPLATFORM
@@ -13,16 +13,16 @@ RUN printf "I'm building for TARGETPLATFORM=${TARGETPLATFORM}" \
     && printf "With uname -s : " && uname -s \
     && printf "and  uname -m : " && uname -mm
 
-ENV CONDA_ENV_NAME "pdal"
-ENV CONDAENV "/opt/conda/envs/${CONDA_ENV_NAME}"
+ENV CONDA_ENV_NAME="pdal"
+ENV CONDAENV="/opt/conda/envs/${CONDA_ENV_NAME}"
 
 
 # Create the environment:
-COPY build-environment.yml .
+COPY ./docker/build-environment.yml .
 RUN conda env create -f build-environment.yml
 RUN mamba update --all -y
 
-COPY run-environment.yml .
+COPY ./docker/run-environment.yml .
 RUN conda env create -f run-environment.yml
 
 
@@ -32,7 +32,7 @@ RUN conda-pack -n ${CONDA_ENV_NAME} --dest-prefix=/var/task -o /tmp/env.tar && \
      rm /tmp/env.tar
 
 
-FROM --platform=$TARGETPLATFORM ${LAMBDA_IMAGE:?} as al2
+FROM --platform=$TARGETPLATFORM ${LAMBDA_IMAGE:?} AS al2
 
 ARG RIE_ARCH
 ARG LAMBDA_IMAGE
@@ -43,16 +43,16 @@ ENV TARGETARCH=${TARGETARCH:-amd64}
 
 
 
-ENV CONDAENV "/var/task"
-ENV CONDA_PREFIX "/var/task"
-ENV TARGETPLATFORM "${TARGETPLATFORM}"
+ENV CONDAENV="/var/task"
+ENV CONDA_PREFIX="/var/task"
+ENV TARGETPLATFORM="${TARGETPLATFORM}"
 COPY --from=condasetup /venv ${CONDAENV}
 
 
 
-ENV PROJ_LIB ${CONDAENV}/share/proj
+ENV PROJ_LIB=${CONDAENV}/share/proj
 ENV PROJ_NETWORK=TRUE
-ENV PATH $PATH:${CONDAENV}/bin
+ENV PATH=$PATH:${CONDAENV}/bin
 ENV LD_LIBRARY_PATH=${CONDAENV}/lib
 ENV HOME=/var/task/
 
@@ -63,7 +63,7 @@ RUN chmod +x /usr/bin/aws-lambda-rie
 
 
 WORKDIR /var/task
-COPY python-entry.sh ./
-COPY handlers/python/ /var/task/lib/python3.11/site-packages/pdal_lambda
-COPY root-bashrc /root/.bashrc
+COPY ./docker/python-entry.sh ./
+COPY ./handlers/python/ /var/task/lib/python3.11/site-packages/pdal_lambda
+COPY ./docker/root-bashrc /root/.bashrc
 ENTRYPOINT [ "/var/task/python-entry.sh" ]