diff --git a/.github/workflows/openssl3.yml b/.github/workflows/openssl3.yml
index 273484c..895dff6 100644
--- a/.github/workflows/openssl3.yml
+++ b/.github/workflows/openssl3.yml
@@ -14,6 +14,10 @@ on:
         required: false
         default: false
         type: boolean
+      release_tag:
+        description: "Which docker tag to push to"
+        required: false
+        type: string
   workflow_dispatch:
     inputs:
       build_main:
@@ -21,11 +25,16 @@ on:
         required: false
         default: false
         type: boolean
+      release_tag:
+        description: "Which docker tag to push to"
+        required: false
+        type: string
 
 env:
   build-args: |
     LIBOQS_TAG=main
     OQSPROVIDER_TAG=main
+  push: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' }}
 
 jobs:
   build:
@@ -40,6 +49,11 @@ jobs:
       - uses: actions/checkout@v4
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        if: ${{ env.push == true }}
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -54,10 +68,24 @@ jobs:
           platforms: ${{ matrix.platform }}
           build-args: |
             MAKE_DEFINES=-j4
-            ${{ (github.event.inputs.build_main == 'true') && env.build-args || null }}
+            ${{ (inputs.build_main == 'true') && env.build-args || null }}
           tags: oqs-ossl3
 
       - name: Test openssl3 with provider - one baseline and one hybrid QSC algorithm
         run: |
           docker run --rm --name oqs-ossl3 oqs-ossl3 sh -c "openssl list -providers; /opt/openssl32/bin/serverstart.sh; sleep 2; echo 'GET /' | openssl s_client -connect localhost --groups kyber768 --CAfile /opt/openssl32/bin/CA.crt" &&
           docker run --rm --name oqs-ossl3 oqs-ossl3 sh -c "KEM_ALG=p521_frodo1344aes /opt/openssl32/bin/serverstart.sh; sleep 2; echo 'GET /' | openssl s_client -connect localhost --groups p521_frodo1344aes --CAfile /opt/openssl32/bin/CA.crt"
+
+      - name: Push Docker image to registries
+        if: env.push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          context: openssl3
+          platforms: ${{ matrix.platform }}
+          build-args: |
+            MAKE_DEFINES=-j4
+            ${{ (inputs.build_main == 'true') && env.build-args || null }}
+          tags: |
+            openquantumsafe/openssl3:${{ inputs.release_tag || 'latest' }}
+            ghcr.io/open-quantum-safe/openssl3:${{ inputs.release_tag || 'latest' }}