diff --git a/.github/workflows/publish-container.yaml b/.github/workflows/publish-container.yaml
index 63ef7dc..28824a7 100644
--- a/.github/workflows/publish-container.yaml
+++ b/.github/workflows/publish-container.yaml
@@ -16,41 +16,51 @@ jobs:
     permissions:
       contents: read
       packages: write
+    env:
+      tags: >-
+        ${{ github.ref == format('refs/heads/{0}', 'main') && 'latest' || '' }}
+        ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || '' }}
+        ${{ github.event_name == 'push' && github.ref_name || '' }}
+        sha-${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
     steps:
       - name: Checkout
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
-        with:
-          images: |
-            ghcr.io/tkhq/ecr-proxy
-          tags: |
-            type=raw,value=latest,enable={{is_default_branch}}
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=sha,format=long
-      - name: Get committer date
+      - name: Setup and configure Docker
         run: |
-          echo "committer_date=$(git log -1 --pretty=%ct)" >> "$GITHUB_ENV"
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
-      - name: Login to GHCR
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            SOURCE_DATE_EPOCH=${{ env.committer_date }}
-          provenance: "false"
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          [[ $EUID -ne 0 ]] && exec sudo /bin/sh "$0" "$@"
+          for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; \
+            do apt-get remove $pkg; \
+          done
+          apt-get update
+          apt-get install ca-certificates curl
+          install -m 0755 -d /etc/apt/keyrings
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+          chmod a+r /etc/apt/keyrings/docker.asc
+          echo \
+            "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+            $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+            tee /etc/apt/sources.list.d/docker.list > /dev/null
+          apt-get update
+          cat << EOF >/etc/docker/daemon.json
+          {
+            "features": {
+              "containerd-snapshotter": true
+            }
+          }
+          EOF
+          apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+          systemctl restart docker
+          docker buildx create --driver docker-container --bootstrap --name build --use
+      - name: Build
+        run: make
+      - name: Push
+        run: |
+          env -C out/ecr-proxy tar -cf - . | docker load
+          docker tag "tkhq/ecr-proxy:latest" "ghcr.io/tkhq/ecr-proxy:latest"
+          for tag in ${tags}; do
+              docker tag "tkhq/ecr-proxy:latest" "ghcr.io/tkhq/ecr-proxy:${tag}"
+          done
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+          docker image push --all-tags "ghcr.io/tkhq/ecr-proxy"
diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000..25c24c0
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,45 @@
+FROM stagex/busybox:sx2024.04.2@sha256:8cb9360041cd17e8df33c5cbc6c223875045c0c249254367ed7e0eb445720757 AS busybox
+FROM stagex/musl:sx2024.04.2@sha256:f888fcf45fabaaae3d0268bcec902ceb94edba7bf8d09ef6966ebb20e00b7127 AS musl
+FROM stagex/go:sx2024.04.2@sha256:7a0c200995e220519aae02554c082b45cc3f7452480ea45d19e15ad3ecdffb4c AS go
+FROM stagex/ca-certificates:sx2024.04.2@sha256:f9fe6e67df91083fee3d88cf221f84ef77f0b67480fb5b0689e890509a712533 AS ca-certificates
+
+FROM scratch as builder
+COPY --from=busybox . /
+COPY --from=musl . /
+COPY --from=go . /
+COPY --from=ca-certificates . /
+
+ARG TARGETOS
+ARG TARGETARCH
+
+ENV GOPATH=/usr/home/build
+ENV GOOS=${TARGETOS}
+ENV GOARCH=${TARGETARCH}
+ENV GOPROXY=off
+ENV CGO_ENABLED=0
+ENV GOPROXY="https://proxy.golang.org,direct"
+ENV GO_BUILDFLAGS="-x -v -trimpath -buildvcs=false"
+ENV GO_LDFLAGS="-s -w -buildid= -extldflags=-static"
+ENV GOFLAGS=${GO_BUILDFLAGS} -ldflags="${GO_LDFLAGS}"
+
+RUN <<-EOF
+    set -eux
+    mkdir -p /newroot/etc/ssl/certs
+    cp -ra --parents /etc/ssl/certs /newroot/
+EOF
+
+WORKDIR /usr/home/build/src
+
+COPY ./src/go.mod ./src/go.sum ./
+RUN go mod download
+
+COPY ./src ./
+RUN --network=none go build ${GOFLAGS} \
+    -o /newroot/usr/local/bin/ecr-proxy \
+    ./cmd/ecr-proxy
+
+FROM scratch
+LABEL org.opencontainers.image.source https://github.com/tkhq/ecr-proxy
+COPY --from=builder /newroot /
+USER 65532:65532
+ENTRYPOINT ["/usr/local/bin/ecr-proxy"]
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index ee06937..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,39 +0,0 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.22-bullseye@sha256:dcff0d950cb4648fec14ee51baa76bf27db3bb1e70a49f75421a8828db7b9910 AS builder
-
-ARG SOURCE_DATE_EPOCH
-ARG TARGETOS
-ARG TARGETARCH
-
-ENV GOPATH=/usr/home/build
-ENV GOOS=${TARGETOS}
-ENV GOARCH=${TARGETARCH}
-
-RUN mkdir -p /newroot/etc/ssl/certs \
-  && cp -ra --parents /etc/ssl/certs /newroot/
-
-WORKDIR /usr/home/build/src
-
-COPY ./src/go.mod ./src/go.sum ./
-RUN go mod download
-
-COPY ./src ./
-RUN GOPROXY=off \
-  CGO_ENABLED=0 \
-  go build \
-    -o /newroot/usr/local/bin/ecr-proxy \
-    ./cmd/ecr-proxy
-
-# Hack to reset timestamps on directories in a multi-platform build
-RUN find /newroot -newermt "@${SOURCE_DATE_EPOCH}" -writable \
-  | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference
-
-
-FROM scratch
-
-LABEL org.opencontainers.image.source https://github.com/tkhq/ecr-proxy
-
-COPY --from=builder /newroot /
-
-USER 65532:65532
-
-ENTRYPOINT ["/usr/local/bin/ecr-proxy"]
diff --git a/Makefile b/Makefile
index 54337aa..b8fcdc2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,90 +1,19 @@
-include $(PWD)/src/toolchain/Makefile
-
-KEYS := \
-	6B61ECD76088748C70590D55E90A401336C8AAA9 \
-	A8864A8303994E3A18ACD1760CAB4418C834B102 \
-	66039AA59D823C8BD68DB062D3EC673DF9843E7B \
-	DE050A451E6FAF94C677B58B9361DEC647A087BD
-
-LOCAL_BUILD_DIR := 'build'
-
 .DEFAULT_GOAL :=
+export
 .PHONY: default
-default: \
-	cache \
-	toolchain \
-	$(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \
-	$(OUT_DIR)/ecr-proxy.linux-x86_64 \
-	$(OUT_DIR)/ecr-proxy.linux-aarch64 \
-	$(OUT_DIR)/release.env \
-	toolchain-profile
+default: out/ecr-proxy/index.json
 
 .PHONY: lint
 lint:
-	$(call toolchain,' \
-		GOCACHE=/home/build/$(CACHE_DIR) \
-		GOPATH=/home/build/$(CACHE_DIR) \
-		env -C $(SRC_DIR) go vet -v ./... \
-	')
-
-.PHONY: cache
-cache:
-ifneq ($(TOOLCHAIN_REPRODUCE),true)
-	git lfs pull --include=cache/toolchain.tgz
-	$(MAKE) toolchain-restore-mtime
-	touch fetch/apt/Packages.bz2 cache/toolchain.tgz
-endif
-
-.PHONY: dist
-dist: toolchain-dist
-
-.PHONY: reproduce
-reproduce:
-	git lfs pull --include=fetch/apt/
-	$(MAKE) toolchain-reproduce toolchain-profile
+	env -C src go vet -v ./...
 
 .PHONY: test
-test: $(OUT_DIR)/ecr-proxy.linux-x86_64
-	$(call toolchain,' \
-		GOCACHE=/home/build/$(CACHE_DIR) \
-		GOPATH=/home/build/$(CACHE_DIR) \
-		env -C $(SRC_DIR) go test -v ./... \
-	')
-
-.PHONY: install
-install: default
-	mkdir -p ~/.local/bin
-	cp $(OUT_DIR)/ecr-proxy.$(HOST_OS)-$(HOST_ARCH) ~/.local/bin/ecr-proxy
-
-# Clean repo back to initial clone state
-.PHONY: clean
-clean: toolchain-clean
-	git clean -dfx $(SRC_DIR)
-	rm -rf $(LOCAL_BUILD_DIR)
-
-$(KEY_DIR)/%.asc:
-	$(call fetch_pgp_key,$(basename $(notdir $@)))
-
-$(OUT_DIR)/ecr-proxy.%:
-	$(call toolchain-profile-start)
-	$(call toolchain,' \
-		GOHOSTOS="linux" \
-		GOHOSTARCH="amd64" \
-		GOOS="$(word 1,$(subst -, ,$(word 2,$(subst ., ,$@))))" \
-		GOARCH="$(call altarch,$(word 2,$(subst -, ,$(word 2,$(subst ., ,$@)))))" \
-		GOCACHE=/home/build/$(CACHE_DIR) \
-		GOPATH=/home/build/$(CACHE_DIR) \
-		CGO_ENABLED=0 \
-		env -C $(SRC_DIR)/cmd/ecr-proxy \
-		go build \
-			-trimpath \
-			-ldflags="-s -w -buildid=''" \
-			-o /home/build/$@ . \
-	')
-	$(call toolchain-profile-stop)
-
-.PHONY: build-local
-build-local:
-	pushd $(shell git rev-parse --show-toplevel)/src; \
-	go build -o ../$(LOCAL_BUILD_DIR)/ecr-proxy; \
-	popd;
+test:
+	env -C src go test -v ./...
+
+out/ecr-proxy/index.json:
+	docker build \
+		-f Containerfile \
+		--tag tkhq/ecr-proxy:latest \
+		--output type=oci,tar=false,rewrite_timestamps=true,dest=out/ecr-proxy \
+		.