diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0036122..5d76c52 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,10 @@
 name: Build and Publish
-on: [push]
+on:
+  push:
+    branches: [main]
+    tags: ['*']
+  pull_request:
+    branches: [main]
 
 jobs:
 
@@ -7,7 +12,7 @@ jobs:
     name: Lint Dockerfile
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v6
       - run: npm i
       - run: npm test
 
@@ -15,46 +20,56 @@ jobs:
     needs: lint
     name: Build and publish Docker image
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v6
 
-      - name: Build image
-        run: docker build -t gcp-ruby .
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
 
-      - name: Test Ruby
-        run: docker run gcp-ruby bash -c "which ruby || exit 1"
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v4
 
-      - name: Test Bundler
-        run: docker run gcp-ruby bash -c "which bundle || exit 1"
-
-      - name: Test Google Cloud SDK
-        run: docker run gcp-ruby bash -c "which gcloud || exit 1"
-
-      - name: Test Node.js
-        run: docker run gcp-ruby bash -c "which node || exit 1"
-
-      - name: Test Yarn
-        run: docker run gcp-ruby bash -c "which yarn || exit 1"
-
-      - name: Test Chrome
-        run: docker run gcp-ruby bash -c "which google-chrome || exit 1"
+      - name: Docker login
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
 
-      - name: Test Docker
-        run: docker run gcp-ruby bash -c "which docker || exit 1"
+      - name: Compute tags
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: savingsutd/gcp-ruby
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=ref,event=tag
 
-      - name: Docker login
-        run: |
-          echo ${{ secrets.DOCKER_ACCESS_TOKEN }} | docker login --username ${{ secrets.DOCKER_USERNAME }} --password-stdin
+      - name: Build amd64 for smoke tests
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: linux/amd64
+          load: true
+          tags: gcp-ruby:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Publish latest
+      - name: Smoke test binaries
         run: |
-          docker tag gcp-ruby savingsutd/gcp-ruby:latest &&
-          docker push savingsutd/gcp-ruby:latest
-        if: success() && github.ref == 'refs/heads/main'
+          for bin in ruby bundle gcloud node yarn google-chrome docker; do
+            docker run --rm gcp-ruby:test bash -c "which $bin" || exit 1
+          done
 
-      - name: Publish release
-        run: |
-          export RELEASE_TAG=$(echo $GITHUB_REF | sed -e 's,.*/\(.*\),\1,') &&
-          docker tag gcp-ruby savingsutd/gcp-ruby:$RELEASE_TAG &&
-          docker push savingsutd/gcp-ruby:$RELEASE_TAG
-        if: success() && contains(github.ref, 'refs/tags')
+      - name: Build and push multi-arch
+        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
index 845edda..8d9f66e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,19 +3,19 @@ FROM ruby:3.4.9
 LABEL version="3.4.9"
 LABEL maintainer="Ain Tohvri <ain.tohvri@samwise-media.com>"
 
-RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
+RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" \
+      | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
     curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg && \
     curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh && \
     curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg && \
-    echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
-    wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /usr/share/keyrings/chrome.gpg && \
-    sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/chrome.gpg] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' && \
+    echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" \
+      | tee /etc/apt/sources.list.d/nodesource.list && \
     apt update && \
-    apt install -y google-cloud-sdk nodejs google-chrome-unstable python3-setuptools imagemagick libmagickwand-dev xvfb --no-install-recommends && \
+    apt install -y --no-install-recommends \
+      google-cloud-sdk nodejs chromium python3-setuptools imagemagick libmagickwand-dev xvfb && \
+    ln -sf /usr/bin/chromium /usr/local/bin/google-chrome && \
     npm install -g corepack && \
     yarn set version stable && \
-    rm /package.json && \
-    apt autoremove && \
-    apt autoclean && \
-    rm -rf /var/lib/apt/lists/* && \
-    rm -rf /var/lib/cache/*
+    rm -f /package.json && \
+    apt autoremove -y && apt autoclean && \
+    rm -rf /var/lib/apt/lists/* /var/lib/cache/*