diff --git a/.github/Dockerfile b/.github/Dockerfile
index 872f7e00..ccf06185 100644
--- a/.github/Dockerfile
+++ b/.github/Dockerfile
@@ -1,16 +1,8 @@
-# build stage
-FROM golang:alpine AS build
-RUN apk update && apk add git
-ADD . /src
-WORKDIR /src
-ENV CGO_ENABLED=0
-RUN go build \
-    -ldflags "-X github.com/jpillora/chisel/share.BuildVersion=$(git describe --abbrev=0 --tags)" \
-    -o /tmp/bin
-# run stage
+FROM alpine:3 AS certs
+RUN apk add --no-cache ca-certificates
+
 FROM scratch
 LABEL maintainer="dev@jpillora.com"
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-WORKDIR /app
-COPY --from=build /tmp/bin /app/bin
-ENTRYPOINT ["/app/bin"]
\ No newline at end of file
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY chisel /app/bin
+ENTRYPOINT ["/app/bin"]
diff --git a/.github/goreleaser.yml b/.github/goreleaser.yml
index 8ddc1375..bf159b10 100644
--- a/.github/goreleaser.yml
+++ b/.github/goreleaser.yml
@@ -59,3 +59,139 @@ changelog:
     exclude:
       - "^docs:"
       - "^test:"
+
+dockers:
+  - image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-amd64"
+    use: buildx
+    dockerfile: .github/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+    goarch: amd64
+
+  - image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-arm64"
+    use: buildx
+    dockerfile: .github/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+    goarch: arm64
+
+  - image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv7"
+    use: buildx
+    dockerfile: .github/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm/v7"
+    goarch: arm
+    goarm: "7"
+
+  - image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv6"
+    use: buildx
+    dockerfile: .github/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm/v6"
+    goarch: arm
+    goarm: "6"
+
+  - image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-386"
+      - "docker.io/jpillora/chisel:{{ .Version }}-386"
+    use: buildx
+    dockerfile: .github/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/386"
+    goarch: "386"
+
+  - image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-ppc64le"
+      - "docker.io/jpillora/chisel:{{ .Version }}-ppc64le"
+    use: buildx
+    dockerfile: .github/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/ppc64le"
+    goarch: ppc64le
+
+docker_manifests:
+  - name_template: "ghcr.io/jpillora/chisel:{{ .Version }}"
+    image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-386"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-ppc64le"
+
+  - name_template: "ghcr.io/jpillora/chisel:{{ .Major }}"
+    skip_push: "{{ if .Prerelease }}true{{ else }}false{{ end }}"
+    image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-386"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-ppc64le"
+
+  - name_template: "ghcr.io/jpillora/chisel:{{ .Major }}.{{ .Minor }}"
+    skip_push: "{{ if .Prerelease }}true{{ else }}false{{ end }}"
+    image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-386"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-ppc64le"
+
+  - name_template: "ghcr.io/jpillora/chisel:latest"
+    skip_push: "{{ if .Prerelease }}true{{ else }}false{{ end }}"
+    image_templates:
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-386"
+      - "ghcr.io/jpillora/chisel:{{ .Version }}-ppc64le"
+
+  - name_template: "docker.io/jpillora/chisel:{{ .Version }}"
+    image_templates:
+      - "docker.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "docker.io/jpillora/chisel:{{ .Version }}-386"
+      - "docker.io/jpillora/chisel:{{ .Version }}-ppc64le"
+
+  - name_template: "docker.io/jpillora/chisel:{{ .Major }}"
+    skip_push: "{{ if .Prerelease }}true{{ else }}false{{ end }}"
+    image_templates:
+      - "docker.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "docker.io/jpillora/chisel:{{ .Version }}-386"
+      - "docker.io/jpillora/chisel:{{ .Version }}-ppc64le"
+
+  - name_template: "docker.io/jpillora/chisel:{{ .Major }}.{{ .Minor }}"
+    skip_push: "{{ if .Prerelease }}true{{ else }}false{{ end }}"
+    image_templates:
+      - "docker.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "docker.io/jpillora/chisel:{{ .Version }}-386"
+      - "docker.io/jpillora/chisel:{{ .Version }}-ppc64le"
+
+  - name_template: "docker.io/jpillora/chisel:latest"
+    skip_push: "{{ if .Prerelease }}true{{ else }}false{{ end }}"
+    image_templates:
+      - "docker.io/jpillora/chisel:{{ .Version }}-amd64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-arm64"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv7"
+      - "docker.io/jpillora/chisel:{{ .Version }}-armv6"
+      - "docker.io/jpillora/chisel:{{ .Version }}-386"
+      - "docker.io/jpillora/chisel:{{ .Version }}-ppc64le"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0036cc89..a0211aa6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,7 +2,6 @@ name: CI
 on:
   pull_request: {}
   push: {}
-permissions: write-all
 jobs:
   # ================
   # BUILD AND TEST JOB
@@ -29,64 +28,47 @@ jobs:
       - name: Test
         run: go test -v ./...
   # ================
-  # RELEASE BINARIES (on push "v*" tag)
+  # RELEASE (on push "v*" tag)
+  # Builds binaries, packages, and multi-arch Docker images via GoReleaser
   # ================
-  release_binaries:
-    name: Release Binaries
+  release:
+    name: Release
     needs: test
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
     steps:
-      - name: Check out code
+      - name: Checkout
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
-      - name: goreleaser
-        if: success()
-        uses: docker://goreleaser/goreleaser:latest
-        env:
-          GITHUB_USER: ${{ github.repository_owner }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GOTOOLCHAIN: auto
+      - name: Set up Go
+        uses: actions/setup-go@v6
         with:
-          args: release --config .github/goreleaser.yml
-  # ================
-  # RELEASE DOCKER IMAGES (on push "v*" tag)
-  # ================
-  release_docker:
-    name: Release Docker Images
-    needs: test
-    if: startsWith(github.ref, 'refs/tags/v')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v5
+          go-version: stable
+          cache: true
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Login to DockerHub
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
           username: jpillora
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: jpillora/chisel
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-      - name: Build and push
-        uses: docker/build-push-action@v6
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
         with:
-          context: .
-          file: .github/Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/386,linux/arm/v7,linux/arm/v6
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          distribution: goreleaser
+          version: v2.12.7
+          args: release --clean --config .github/goreleaser.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}