diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index b573e9a..0cdf0a9 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -31,6 +31,15 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
     - name: Build
       run: ARCHS="linux/amd64" make build
+    - name: Trivy vulnerability scan (main image)
+      uses: aquasecurity/trivy-action@0.29.0
+      with:
+        image-ref: jorge07/alpine-php:${{ matrix.version }}
+        format: table
+        exit-code: "1"
+        ignore-unfixed: true
+        vuln-type: os,library
+        severity: CRITICAL
     - name: Test Main
       run: make test-main
     - name: Test Dev
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 99e0bb3..02a1451 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -23,6 +23,9 @@ jobs:
       REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
     name: release-${{ matrix.version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
     - uses: actions/checkout@v6
     - name: Set up QEMU
@@ -38,9 +41,23 @@ jobs:
       with:
         username: ${{ secrets.REGISTRY_USERNAME }}
         password: ${{ secrets.REGISTRY_PASSWORD }}
-    - name: Build and push
+    - name: Login to GHCR
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build and push (Docker Hub)
       if: env.REGISTRY_USERNAME != ''
       run: make release
     - name: Build only (no push credentials)
       if: env.REGISTRY_USERNAME == ''
       run: make build
+    - name: Push to GHCR
+      if: env.REGISTRY_USERNAME != ''
+      run: |
+        SEMVER=$(docker run --rm -v $(pwd):/app jorge07/alpine-php:${VERSION} php -r "echo phpversion();")
+        docker buildx imagetools create --tag ghcr.io/jorge07/alpine-php:${VERSION}       jorge07/alpine-php:${VERSION}
+        docker buildx imagetools create --tag ghcr.io/jorge07/alpine-php:${VERSION}-dev   jorge07/alpine-php:${VERSION}-dev
+        docker buildx imagetools create --tag ghcr.io/jorge07/alpine-php:${SEMVER}        jorge07/alpine-php:${SEMVER}
+        docker buildx imagetools create --tag ghcr.io/jorge07/alpine-php:${SEMVER}-dev    jorge07/alpine-php:${SEMVER}-dev