diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
new file mode 100644
index 0000000..36ca13d
--- /dev/null
+++ b/.github/workflows/docker.yaml
@@ -0,0 +1,35 @@
+name: docker
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+      - uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.CR_PAT }}
+      - run: make docker-build-push
diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml
index a522fd2..8cf1514 100644
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@@ -84,20 +84,6 @@ jobs:
           restore-keys: |
             go-${{ matrix.platform.GOOS }}-${{ matrix.platform.GOARCH }}-
       - run: make dist
-
-      # Docker image (Linux only)
-      - uses: docker/setup-buildx-action@v1
-        if: runner.os == 'Linux'
-      - uses: docker/login-action@v1
-        if: runner.os == 'Linux'
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.CR_PAT }}
-      - run: make docker-build-push
-        if: runner.os == 'Linux'
-
-      # GitHub Releases
       - run: make dist-release
         if: startswith(github.ref, 'refs/tags/')
         env:
diff --git a/Dockerfile b/Dockerfile
index 414f9db..d14972c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,14 @@
+FROM golang:1.16 as builder
+
+WORKDIR /builder
+COPY go.* .
+RUN go mod download
+COPY Makefile .
+COPY main.go .
+COPY pkg pkg
+ARG VERSION
+RUN make VERSION=$VERSION
+
 FROM gcr.io/distroless/base-debian10
-COPY kubelogin /
+COPY --from=builder /builder/kubelogin /
 ENTRYPOINT ["/kubelogin"]
diff --git a/Makefile b/Makefile
index bcd967b..d89b5b2 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,13 @@ TARGET := kubelogin
 TARGET_ARCHIVE := $(TARGET)_$(GOOS)_$(GOARCH).zip
 TARGET_DIGEST := $(TARGET)_$(GOOS)_$(GOARCH).zip.sha256
 
-VERSION := $(notdir $(GITHUB_REF))
+# determine the version from ref
+ifeq ($(GITHUB_REF), refs/heads/master)
+  VERSION := latest
+else
+  VERSION ?= $(notdir $(GITHUB_REF))
+endif
+
 LDFLAGS := -X main.version=$(VERSION)
 
 all: $(TARGET)
@@ -33,12 +39,13 @@ dist-release: dist
 DOCKER_REPOSITORY := ghcr.io/int128/kubelogin
 
 .PHONY: docker-build-push
-docker-build-push: Dockerfile $(TARGET)
+docker-build-push: Dockerfile
 	docker buildx build . \
+		--build-arg=VERSION=$(VERSION) \
 		--tag=$(DOCKER_REPOSITORY):$(VERSION) \
-		--cache-from=type=registry,ref=$(DOCKER_REPOSITORY):master \
+		--cache-from=type=registry,ref=$(DOCKER_REPOSITORY):latest \
 		--cache-to=type=inline \
-		--platform=$(GOOS)/$(GOARCH) \
+		--platform=linux/amd64,linux/arm64 \
 		--push
 
 .PHONY: clean