diff --git a/.gitea/workflows/publish-container.yaml b/.gitea/workflows/publish-container.yaml
new file mode 100644
index 0000000..6720f5f
--- /dev/null
+++ b/.gitea/workflows/publish-container.yaml
@@ -0,0 +1,46 @@
+name: Build, Secure, and Push Docker Image on Release
+
+on:
+  release:
+    types: [published, prereleased]
+
+permissions:
+  id-token: write
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
+
+      - name: Determine Tag Type
+        id: tag_type
+        run: |
+          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
+            echo "tag=dev" >> $GITHUB_ENV
+          else
+            echo "tag=latest" >> $GITHUB_ENV
+          fi          
+
+      - name: Build, push, and generate SBOM and provenance
+        run: |
+          docker buildx build \
+            --provenance=true \
+            --sbom=true \
+            --push \
+            -t docker.io/singatias/osq-website:${{ github.event.release.tag_name }} \
+            -t docker.io/singatias/osq-website:${{ env.tag }} \
+            .
\ No newline at end of file