diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 819a268..a197161 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,10 +1,11 @@
 name: CI
 
 on:
-  push:
-    branches: ["master"]
   pull_request:
     branches: ["master"]
+  push:
+    branches: ["master"]
+  workflow_call:
 
 jobs:
   prettier:
@@ -23,6 +24,18 @@ jobs:
         run: npm install --global prettier
       - name: Run Prettier
         run: prettier --check --no-error-on-unmatched-pattern "**/*.{json,md,yml,yaml}"
+  prettier_action:
+    name: Prettier 2
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
+      - name: Run Prettier
+        uses: creyD/prettier_action@v4.3
+        with:
+          prettier_options: --check --no-error-on-unmatched-pattern "**/*.{json,md,yml,yaml}"
   check:
     name: Mix Format
     runs-on: ubuntu-latest
@@ -31,8 +44,8 @@ jobs:
       - name: Set up Elixir
         uses: erlef/setup-beam@v1
         with:
-          elixir-version: "1.15.6"
-          otp-version: "26.1"
+          elixir-version: "1.15.7"
+          otp-version: "26"
       - name: Restore dependencies cache
         uses: actions/cache@v3
         with:
@@ -43,3 +56,45 @@ jobs:
         run: mix deps.get
       - name: Run formatter
         run: mix format --check-formatted
+  image_build:
+    name: Build Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            hpopp/tarot-cup
+          tags: |
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and export
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          tags: ${{ steps.meta.outputs.tags }}
+          outputs: type=docker,dest=/tmp/image.tar
+      - name: Upload artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: image
+          path: /tmp/image.tar
+  trivy:
+    name: Trivy Scan
+    runs-on: ubuntu-latest
+    needs: image_build
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: image
+      - name: Run Trivy vulnerability scanner in tarball mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          input: image.tar
+          severity: "CRITICAL"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..6289cad
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,29 @@
+name: Publish
+
+on:
+  push:
+    tags: ["v*"]
+
+jobs:
+  test_and_build:
+    uses: ./.github/workflows/ci.yml
+    secrets: inherit
+  image_publish:
+    name: Publish Image
+    runs-on: ubuntu-latest
+    needs: [image_build, trivy]
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: image
+          path: /tmp
+      - name: Publish image
+        run: |
+          docker load --input /tmp/image.tar
+          docker push --all-tags ${{ github.repository }}
diff --git a/.tool-versions b/.tool-versions
index 9f88665..510eaf4 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1,2 +1,2 @@
-elixir 1.15.6-otp-26
-erlang 26.1.1
+elixir 1.15.7-otp-26
+erlang 26.1.2