diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9736a7e..11ac7bd 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -5,7 +5,7 @@ on: [push, pull_request]
 jobs:
   test:
     name: Test
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
       - uses: actions/checkout@v4
@@ -31,3 +31,57 @@ jobs:
       - name: Run tests
         run: |
           mix test
+
+  docker:
+    name: Docker
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    env:
+      IMAGE_NAME: 'bob'
+      PROJECT_ID: 'hexpm-prod'
+      SERVICE_ACCOUNT: ${{ secrets.GCLOUD_SERVICE_ACCOUNT }}
+      WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCLOUD_WORKFLOW_IDENTITY_POOL_PROVIDER }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Google auth
+        id: auth
+        uses: 'google-github-actions/auth@v2'
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          token_format: 'access_token'
+          project_id: ${{ env.PROJECT_ID }}
+          service_account: ${{ env.SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
+
+      - name: Docker Auth
+        id: docker-auth
+        uses: 'docker/login-action@v3'
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          registry: gcr.io
+          username: 'oauth2accesstoken'
+          password: '${{ steps.auth.outputs.access_token }}'
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          tags: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.COMMIT_SHORT_SHA }}
+          push: ${{ github.event_name != 'pull_request' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
deleted file mode 100644
index 31e302a..0000000
--- a/cloudbuild.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-steps:
-- name: 'gcr.io/cloud-builders/docker'
-  args: ['pull', 'gcr.io/$PROJECT_ID/bob-build:latest']
-  id: pull-build
-  waitFor: ['-']
-- name: 'gcr.io/cloud-builders/docker'
-  args: ['pull', 'gcr.io/$PROJECT_ID/bob:latest']
-  id: pull-app
-  waitFor: ['-']
-- name: 'gcr.io/cloud-builders/docker'
-  args:
-  - 'build'
-  - '-t'
-  - 'gcr.io/$PROJECT_ID/bob-build:latest'
-  - '-t'
-  - 'gcr.io/$PROJECT_ID/bob-build:$SHORT_SHA'
-  - '--cache-from'
-  - 'gcr.io/$PROJECT_ID/bob-build:latest'
-  - '--target'
-  - 'build'
-  - '.'
-  id: build-build
-  waitFor: ['pull-build']
-- name: 'gcr.io/cloud-builders/docker'
-  args:
-  - 'build'
-  - '-t'
-  - 'gcr.io/$PROJECT_ID/bob:latest'
-  - '-t'
-  - 'gcr.io/$PROJECT_ID/bob:$SHORT_SHA'
-  - '--cache-from'
-  - 'gcr.io/$PROJECT_ID/bob-build:latest'
-  - '--cache-from'
-  - 'gcr.io/$PROJECT_ID/bob:latest'
-  - '--target'
-  - 'app'
-  - '.'
-  id: build-app
-  waitFor: ['build-build', 'pull-app']
-
-images:
-- 'gcr.io/$PROJECT_ID/bob-build:latest'
-- 'gcr.io/$PROJECT_ID/bob:latest'
-- 'gcr.io/$PROJECT_ID/bob-build:$SHORT_SHA'
-- 'gcr.io/$PROJECT_ID/bob:$SHORT_SHA'
-
-options:
-  machineType: 'N1_HIGHCPU_8'
-