diff --git a/.forgejo/workflows/docker-build-push.yaml b/.forgejo/workflows/docker-build-push.yaml
new file mode 100644
index 0000000..e7445ae
--- /dev/null
+++ b/.forgejo/workflows/docker-build-push.yaml
@@ -0,0 +1,68 @@
+name: Build and Push Docker Image
+
+# Define when this workflow will run
+on:
+  push:
+    branches:
+      - master  # Trigger on pushes to master branch
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+'  # Trigger on semantic version tags
+    paths-ignore:
+      - 'Cargo.lock'
+      - 'LICENSE'
+      - 'README.md'
+      - 'docker-compose.yml'
+  workflow_dispatch:  # Allow manual triggering of the workflow
+
+# Define environment variables used throughout the workflow
+env:
+  REGISTRY: git.nadeko.net
+  IMAGE_NAME: fijxu/inv_sig_helper
+
+jobs:
+  build-and-push:
+    runs-on: runner
+
+    steps:
+      # Step 1: Check out the repository code
+      - name: Checkout code
+        uses: https://github.com/actions/checkout@v3
+
+      # Step 3: Set up Docker Buildx for enhanced build capabilities
+      - name: Set up Docker Buildx
+        uses: https://github.com/docker/setup-buildx-action@v3
+
+      # Step 4: Authenticate with Quay.io registry
+      - name: Login to Docker Container Registry
+        uses: https://github.com/docker/login-action@v3.1.0
+        with:
+          registry: git.nadeko.net
+          username: ${{ secrets.USERNAME }}
+          password: ${{ secrets.TOKEN }}
+
+      # Step 5: Extract metadata for Docker image tagging and labeling
+      - name: Extract metadata for Docker
+        id: meta
+        uses: https://github.com/docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # Define tagging strategy
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }}
+            type=sha,prefix={{branch}}-
+          # Define labels
+          labels: |
+            quay.expires-after=12w
+
+      # Step 6: Build and push the Docker image
+      - name: Build and push Docker image
+        uses: https://github.com/docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
index e5f796e..45a53e1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,20 +1,22 @@
-# Use the official Alpine-based Rust image as a parent image
-FROM rust:1.80-alpine AS builder
+# Use the official Debian-based Rust image as a parent image
+FROM rust:1.81-slim-bookworm AS builder
 
 # Set the working directory in the container
 WORKDIR /usr/src/app
 
+RUN DEBIAN_FRONTEND='noninteractive' apt update
+
 # Install build dependencies
-RUN apk add --no-cache \
-    musl-dev \
-    openssl-dev \
-    openssl-libs-static \
-    pkgconfig \
+RUN DEBIAN_FRONTEND='noninteractive' apt install -y --no-install-recommends \
+    libssl-dev \
+    pkg-config \
     patch
 
+RUN DEBIAN_FRONTEND='noninteractive' apt autoclean
+
 # Set environment variables for static linking
-ENV OPENSSL_STATIC=yes
-ENV OPENSSL_DIR=/usr
+# ENV OPENSSL_STATIC=yes
+# ENV OPENSSL_DIR=/usr
 
 # Copy the current directory contents into the container
 COPY . .
@@ -22,23 +24,19 @@ COPY . .
 # Determine the target architecture and build the application
 RUN RUST_TARGET=$(rustc -vV | sed -n 's/host: //p') && \
     rustup target add $RUST_TARGET && \
-    RUSTFLAGS='-C target-feature=+crt-static' cargo build --release --target $RUST_TARGET
+    cargo build --release --target $RUST_TARGET
 
 # Stage for creating the non-privileged user
-FROM alpine:3.20 AS user-stage
+FROM debian:bookworm-slim AS user-stage
 
-RUN adduser -u 10001 -S appuser
-
-# Stage for a smaller final image
-FROM scratch
+RUN adduser --uid 10001 appuser
+RUN apt update && apt install libssl3
+RUN apt-get clean autoclean && apt-get autoremove --yes && rm -rf /var/lib/apt /var/lib/dpkg /var/lib/cache /var/lib/log
 
 # Copy necessary files from the builder stage, using the correct architecture path
 COPY --from=builder /usr/src/app/target/*/release/inv_sig_helper_rust /app/inv_sig_helper_rust
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-# Copy passwd file for the non-privileged user from the user-stage
-COPY --from=user-stage /etc/passwd /etc/passwd
-
 # Set the working directory
 WORKDIR /app