diff --git a/.github/docker/Dockerfile.production b/.github/docker/Dockerfile.production
deleted file mode 100644
index 63b7d0654d..0000000000
--- a/.github/docker/Dockerfile.production
+++ /dev/null
@@ -1,37 +0,0 @@
-FROM debian:bookworm-slim
-
-ARG DEB_FILE
-ARG DEB_DEBUG_FILE
-
-ENV DEBIAN_FRONTEND=noninteractive
-
-USER root
-
-RUN apt-get update && apt-get install adduser && apt-get clean
-
-RUN addgroup --gid 10001 --system liquidsoap && \
-    adduser --system --disabled-password --disabled-login --uid 10000 \
-    --home /var/cache/liquidsoap --ingroup liquidsoap liquidsoap && \
-    usermod --append --groups audio liquidsoap
-
-# For ffmpeg with libfdk-aac
-RUN apt-get update && apt install -y ca-certificates && \
-    echo "deb https://www.deb-multimedia.org bookworm main non-free" >> /etc/apt/sources.list && \
-    apt-get update -oAcquire::AllowInsecureRepositories=true && \
-    apt-get install -y --allow-unauthenticated deb-multimedia-keyring
-
-COPY $DEB_FILE liquidsoap.deb
-COPY $DEB_DEBUG_FILE liquidsoap-debug.deb
-
-RUN apt-get update && \
-    apt-get dist-upgrade -y && \
-    apt install -y ./liquidsoap.deb ./liquidsoap-debug.deb && \
-    apt-get install -y tini && \
-    apt-get clean && \
-    rm -f ./liquidsoap.deb ./liquidsoap-debug.deb
-
-USER liquidsoap
-
-RUN liquidsoap --cache-stdlib
-
-ENTRYPOINT ["/usr/bin/tini", "--", "/usr/bin/liquidsoap"]
diff --git a/.github/docker/Dockerfile.production-alpine b/.github/docker/Dockerfile.production-alpine
deleted file mode 100644
index 4b39d3c727..0000000000
--- a/.github/docker/Dockerfile.production-alpine
+++ /dev/null
@@ -1,18 +0,0 @@
-FROM alpine:edge
-
-ARG APK_FILE
-
-USER root
-
-COPY $APK_FILE /tmp/liquidsoap.apk
-
-RUN apk add --allow-untrusted --no-cache \
-      -X http://dl-cdn.alpinelinux.org/alpine/edge/testing \
-      tini /tmp/liquidsoap.apk && \
-      rm -rf /tmp/liquidsoap.apk
-
-USER liquidsoap
-
-RUN liquidsoap --cache-stdlib
-
-ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/liquidsoap"]
diff --git a/.github/docker/alpine.dockerfile b/.github/docker/alpine.dockerfile
new file mode 100644
index 0000000000..91767fa6bb
--- /dev/null
+++ b/.github/docker/alpine.dockerfile
@@ -0,0 +1,20 @@
+FROM alpine:edge AS downloader
+
+ARG APK_FILE
+
+COPY $APK_FILE /downloads/liquidsoap.apk
+
+FROM alpine:edge
+
+RUN --mount=type=bind,from=downloader,source=/downloads,target=/downloads \
+    set -eux; \
+      echo 'https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories; \
+      apk add --allow-untrusted --no-cache \
+        /downloads/liquidsoap.apk \
+      ;
+
+USER liquidsoap
+
+RUN liquidsoap --cache-stdlib
+
+ENTRYPOINT ["/usr/bin/liquidsoap"]
diff --git a/.github/docker/debian.dockerfile b/.github/docker/debian.dockerfile
new file mode 100644
index 0000000000..65cf8144d6
--- /dev/null
+++ b/.github/docker/debian.dockerfile
@@ -0,0 +1,55 @@
+FROM debian:12-slim AS downloader
+
+ARG DEB_FILE
+ARG DEB_DEBUG_FILE
+COPY $DEB_FILE /downloads/liquidsoap.deb
+COPY $DEB_DEBUG_FILE /downloads/liquidsoap-debug.deb
+
+ARG DEB_MULTIMEDIA_KEYRING="https://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2024.9.1_all.deb"
+ARG DEB_MULTIMEDIA_KEYRING_SHA256SUM="8dc6cbb266c701cfe58bd1d2eb9fe2245a1d6341c7110cfbfe3a5a975dcf97ca"
+
+RUN set -eux; \
+      apt-get update; \
+      apt-get install -y --no-install-recommends \
+        ca-certificates \
+        wget \
+      ; \
+      wget "$DEB_MULTIMEDIA_KEYRING" -O /downloads/deb-multimedia-keyring.deb; \
+      echo "$DEB_MULTIMEDIA_KEYRING_SHA256SUM  /downloads/deb-multimedia-keyring.deb" | sha256sum -c -;
+
+FROM debian:12-slim
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+# For ffmpeg with libfdk-aac
+RUN --mount=type=bind,from=downloader,source=/downloads,target=/downloads \
+    set -eux; \
+      apt-get update; \
+      apt-get install -y --no-install-recommends \
+        /downloads/deb-multimedia-keyring.deb \
+        ca-certificates \
+      ; \
+      echo 'deb https://www.deb-multimedia.org bookworm main non-free' > \
+        /etc/apt/sources.list.d/deb-multimedia.list; \
+      rm -rf \
+        /var/lib/apt/lists \
+        /var/lib/dpkg/status-old \
+      ;
+
+RUN --mount=type=bind,from=downloader,source=/downloads,target=/downloads \
+    set -eux; \
+      apt-get update; \
+      apt-get install -y --no-install-recommends \
+        /downloads/liquidsoap.deb \
+        /downloads/liquidsoap-debug.deb \
+      ; \
+      rm -rf \
+        /var/lib/apt/lists \
+        /var/lib/dpkg/status-old \
+      ;
+
+USER liquidsoap
+
+RUN liquidsoap --cache-stdlib
+
+ENTRYPOINT ["/usr/bin/liquidsoap"]
diff --git a/.github/docker/Dockerfile.website b/.github/docker/website.dockerfile
similarity index 100%
rename from .github/docker/Dockerfile.website
rename to .github/docker/website.dockerfile
diff --git a/.github/scripts/build-docker-alpine.sh b/.github/scripts/build-docker-alpine.sh
deleted file mode 100755
index 9b3888c1e0..0000000000
--- a/.github/scripts/build-docker-alpine.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-
-set -e
-
-APK_FILE="$1"
-TAG="$2"
-USER="$3"
-PASSWORD="$4"
-ARCHITECTURE="$5"
-
-cp "$APK_FILE" .
-
-docker login -u "$USER" -p "$PASSWORD"
-
-docker build \
-  --pull \
-  --no-cache \
-  --provenance false \
-  --build-arg "APK_FILE=$APK_FILE" \
-  --file .github/docker/Dockerfile.production-alpine \
-  --tag "savonet/liquidsoap-ci-build:${TAG}_alpine_${ARCHITECTURE}" \
-  --push \
-  .
-
-docker pull "savonet/liquidsoap-ci-build:${TAG}_alpine_${ARCHITECTURE}"
-
-docker tag \
-  "savonet/liquidsoap-ci-build:${TAG}_alpine_${ARCHITECTURE}" \
-  "ghcr.io/savonet/liquidsoap-ci-build:${TAG}_alpine_${ARCHITECTURE}"
-
-docker push "ghcr.io/savonet/liquidsoap-ci-build:${TAG}_alpine_${ARCHITECTURE}"
diff --git a/.github/scripts/build-docker.sh b/.github/scripts/build-docker.sh
deleted file mode 100755
index d1b241a5a7..0000000000
--- a/.github/scripts/build-docker.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/sh
-
-set -e
-
-DEB_FILE="$1"
-DEB_DEBUG_FILE="$2"
-TAG="$3"
-USER="$4"
-PASSWORD="$5"
-ARCHITECTURE="$6"
-
-cp "$DEB_FILE" "$DEB_DEBUG_FILE" .
-
-DOCKERFILE=.github/docker/Dockerfile.production
-
-docker login -u "$USER" -p "$PASSWORD"
-
-docker build \
-  --pull \
-  --no-cache \
-  --provenance false \
-  --build-arg "DEB_FILE=$DEB_FILE" \
-  --build-arg "DEB_DEBUG_FILE=$DEB_DEBUG_FILE" \
-  --file "${DOCKERFILE}" \
-  --tag "savonet/liquidsoap-ci-build:${TAG}_${ARCHITECTURE}" \
-  --push \
-  .
-
-docker pull "savonet/liquidsoap-ci-build:${TAG}_${ARCHITECTURE}"
-
-docker tag \
-  "savonet/liquidsoap-ci-build:${TAG}_${ARCHITECTURE}" \
-  "ghcr.io/savonet/liquidsoap-ci-build:${TAG}_${ARCHITECTURE}"
-
-docker push "ghcr.io/savonet/liquidsoap-ci-build:${TAG}_${ARCHITECTURE}"
diff --git a/.github/scripts/build-website.sh b/.github/scripts/build-website.sh
index 77174ea8f5..c46bffb548 100755
--- a/.github/scripts/build-website.sh
+++ b/.github/scripts/build-website.sh
@@ -7,7 +7,7 @@ BASE_DIR=$(cd "${PWD}/../.." && pwd)
 
 DOCKER_IMAGE=savonet/liquidsoap-github-actions-website
 
-docker build --no-cache --tag "${DOCKER_IMAGE}" --file "${BASE_DIR}/.github/docker/Dockerfile.website" .
+docker build --no-cache --tag "${DOCKER_IMAGE}" --file "${BASE_DIR}/.github/docker/website.dockerfile" .
 
 id="$(docker create "${DOCKER_IMAGE}")"
 docker cp "$id:/tmp/liquidsoap-full/website/html" html/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b3322b0370..18f65bb9df 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,6 +31,7 @@ jobs:
       is_release: ${{ steps.build_details.outputs.is_release }}
       is_rolling_release: ${{ steps.build_details.outputs.is_rolling_release }}
       is_fork: ${{ steps.build_details.outputs.is_fork }}
+      publish_docker_image: ${{ steps.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group' }}
       build_os: ${{ steps.build_details.outputs.build_os }}
       build_platform: ${{ steps.build_details.outputs.build_platform }}
       build_include: ${{ steps.build_details.outputs.build_include }}
@@ -615,7 +616,6 @@ jobs:
   build_docker:
     runs-on: ${{ matrix.runs-on }}
     needs: [build_details, build_posix, fetch_s3_artifacts]
-    if: needs.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group'
     strategy:
       fail-fast: false
       matrix:
@@ -638,15 +638,36 @@ jobs:
         run: |
           echo "deb-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep ${{ matrix.docker-debian-os }} | grep -v minimal | grep '${{ matrix.platform }}\.deb$' | grep dbgsym | grep deb)" >> "${GITHUB_OUTPUT}"
         id: debian_debug_package
-      - name: Log in to the github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build docker image
-        run: .github/scripts/build-docker.sh ${{ steps.debian_package.outputs.deb-file }} ${{ steps.debian_debug_package.outputs.deb-file }} ${{ needs.build_details.outputs.branch }} ${{ secrets.DOCKERHUB_USER }} ${{ secrets.DOCKERHUB_PASSWORD }} ${{ matrix.platform }}
+      - name: Login to Docker Hub
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: |
+            "DEB_FILE=${{ steps.debian_package.outputs.deb-file }}"
+            "DEB_DEBUG_FILE=${{ steps.debian_debug_package.outputs.deb-file }}"
+          context: .
+          file: .github/docker/debian.dockerfile
+          tags: |
+            "savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}_${{ matrix.platform }}"
+            "ghcr.io/savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}_${{ matrix.platform }}"
+          push: ${{ needs.build_details.outputs.publish_docker_image }}
 
   build_docker_alpine:
     runs-on: ${{ matrix.runs-on }}
-    needs: [build_details, run_tests, build_posix, fetch_s3_artifacts]
-    if: needs.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group'
+    needs: [build_details, build_posix, fetch_s3_artifacts]
+    if: needs.build_details.outputs.is_fork != 'true'
     strategy:
       fail-fast: false
       matrix:
@@ -665,15 +686,34 @@ jobs:
         run: |
           echo "apk-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep -v minimal | grep 'apk$' | grep -v dbg | grep ${{ matrix.alpine-arch }})" >> "${GITHUB_OUTPUT}"
         id: alpine_package
-      - name: Log in to the github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build docker image
-        run: .github/scripts/build-docker-alpine.sh ${{ steps.alpine_package.outputs.apk-file }} ${{ needs.build_details.outputs.branch }} ${{ secrets.DOCKERHUB_USER }} ${{ secrets.DOCKERHUB_PASSWORD }} ${{ matrix.platform }}
+      - name: Login to Docker Hub
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: |
+            "APK_FILE=${{ steps.alpine_package.outputs.apk-file }}"
+          context: .
+          file: .github/docker/alpine.dockerfile
+          tags: |
+            "savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}_alpine_${{ matrix.platform }}"
+            "ghcr.io/savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}_alpine_${{ matrix.platform }}"
+          push: ${{ needs.build_details.outputs.publish_docker_image }}
 
   build_docker_minimal:
     runs-on: ${{ matrix.runs-on }}
-    needs: [build_details, run_tests, build_posix, fetch_s3_artifacts]
-    if: needs.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group'
+    needs: [build_details, build_posix, fetch_s3_artifacts]
     strategy:
       fail-fast: false
       matrix:
@@ -696,15 +736,36 @@ jobs:
         run: |
           echo "deb-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep ${{ matrix.docker-debian-os }} | grep minimal | grep '${{ matrix.platform }}\.deb$' | grep dbgsym | grep deb)" >> "${GITHUB_OUTPUT}"
         id: debian_debug_package
-      - name: Log in to the github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build docker image
-        run: .github/scripts/build-docker.sh ${{ steps.debian_package.outputs.deb-file }} ${{ steps.debian_debug_package.outputs.deb-file }} ${{ needs.build_details.outputs.branch }}-minimal ${{ secrets.DOCKERHUB_USER }} ${{ secrets.DOCKERHUB_PASSWORD }} ${{ matrix.platform }}
+      - name: Login to Docker Hub
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: |
+            "DEB_FILE=${{ steps.debian_package.outputs.deb-file }}"
+            "DEB_DEBUG_FILE=${{ steps.debian_debug_package.outputs.deb-file }}"
+          context: .
+          file: .github/docker/debian.dockerfile
+          tags: |
+            "savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}-minimal_${{ matrix.platform }}"
+            "ghcr.io/savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}-minimal_${{ matrix.platform }}"
+          push: ${{ needs.build_details.outputs.publish_docker_image }}
 
   build_docker_alpine_minimal:
     runs-on: ${{ matrix.runs-on }}
-    needs: [build_details, run_tests, build_posix, fetch_s3_artifacts]
-    if: needs.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group'
+    needs: [build_details, build_posix, fetch_s3_artifacts]
+    if: needs.build_details.outputs.is_fork != 'true'
     strategy:
       fail-fast: false
       matrix:
@@ -723,14 +784,30 @@ jobs:
         run: |
           echo "apk-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep minimal | grep 'apk$' | grep -v dbg | grep ${{ matrix.alpine-arch }})" >> "${GITHUB_OUTPUT}"
         id: alpine_package
-      - name: Get alpine debug package
-        run: |
-          echo "apk-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep minimal | grep 'apk$' | grep dbg | grep ${{ matrix.alpine-arch }})" >> "${GITHUB_OUTPUT}"
-        id: alpine_dbg_package
-      - name: Log in to the github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build docker image
-        run: .github/scripts/build-docker-alpine.sh ${{ steps.alpine_package.outputs.apk-file }} ${{ steps.alpine_dbg_package.outputs.apk-file }} ${{ needs.build_details.outputs.branch }}-minimal ${{ secrets.DOCKERHUB_USER }} ${{ secrets.DOCKERHUB_PASSWORD }} ${{ matrix.platform }}
+      - name: Login to Docker Hub
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: |
+            "APK_FILE=${{ steps.alpine_package.outputs.apk-file }}"
+          context: .
+          file: .github/docker/alpine.dockerfile
+          tags: |
+            "savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}-minimal_alpine_${{ matrix.platform }}"
+            "ghcr.io/savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}-minimal_alpine_${{ matrix.platform }}"
+          push: ${{ needs.build_details.outputs.publish_docker_image }}
 
   build_docker_release:
     runs-on: ubuntu-latest