diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7a3bdd3..94df2d4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,7 @@ permissions:
 
 env:
   PYTHON_VERSION: "3.11"
+  IMAGE_NAME: keywarden-api
   # Used by tests / alembic; matches docker compose environment
   KEYWARDEN_POSTGRES_USER: postgres
   KEYWARDEN_POSTGRES_PASSWORD: postgres
@@ -144,7 +145,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      # Detect runner flavor and pick cache mode
+      # Choose Buildx cache backend: gha on GitHub, local on act_runner
       - name: Select Buildx cache backend
         run: |
           if [ "${ACT:-}" = "true" ]; then
@@ -155,23 +156,36 @@ jobs:
             echo "CACHE_FROM=type=gha" >> $GITHUB_ENV
           fi
 
-      # (Only needed for local cache on act_runner)
-      - name: Prepare local Buildx cache dir
+      - name: Prepare local cache dir (act_runner only)
         if: ${{ env.ACT == 'true' }}
         run: mkdir -p /tmp/.buildx-cache
-        
+
+      - name: Set image reference (Gitea)
+        run: |
+          echo "GT_IMAGE=${{ secrets.GITEA_REGISTRY }}/${{ secrets.GITEA_NAMESPACE }}/${{ env.IMAGE_NAME }}" >> $GITHUB_ENV
+
+      - name: Set up QEMU (optional)
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        with:
-          # optional: helps debugging cache issues
-          buildkitd-flags: --debug
 
-      - name: Build image (no push)
+      - name: Set image reference
+        run: echo "GT_IMAGE=${{ secrets.REGISTRY_HOST }}/${{ secrets.REGISTRY_NAMESPACE }}/${{ env.IMAGE_NAME }}" >> $GITHUB_ENV
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.REGISTRY_HOST }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build & push
         uses: docker/build-push-action@v5
         with:
           context: .
-          tags: keywarden:ci
-          push: false         # or true, if you want to push
-          load: false         # set true if you need the image in the job afterward
-          cache-from: ${{ env.CACHE_FROM }}
-          cache-to: ${{ env.CACHE_TO }}
\ No newline at end of file
+          push: true
+          tags: |
+            ${{ env.GT_IMAGE }}:${{ github.ref_name }}
+            ${{ env.GT_IMAGE }}:sha-${{ github.sha }}
+            ${{ env.GT_IMAGE }}:latest
\ No newline at end of file