diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 93ae24cc..71342bcd 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -37,6 +37,23 @@ jobs:
         id: build-and-push-image
         with:
           image-flavor: "${{ matrix.image-flavor }}"
+      - name: Push latest tag
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then
+            echo "Skipping latest push: tagged commit is not on main"
+            exit 0
+          fi
+          CURRENT="${{ github.ref_name }}"
+          LATEST="$(git tag --merged origin/main --sort=-version:refname | head -1)"
+          if [[ "${CURRENT}" != "${LATEST}" ]]; then
+            echo "Skipping latest push: ${CURRENT} is not the highest version tag on main (${LATEST} is)"
+            exit 0
+          fi
+          IMAGE="${{ steps.build-and-push-image.outputs.image-tag }}"
+          LATEST_IMAGE="quay.io/stackrox-io/apollo-ci:${{ matrix.image-flavor }}-latest"
+          docker tag "${IMAGE}" "${LATEST_IMAGE}"
+          docker push "${LATEST_IMAGE}"
       - name: Save image info
         run: |
           mkdir -p image-info
@@ -67,6 +84,23 @@ jobs:
         id: build-and-push-image
         with:
           image-flavor: "${{ matrix.image-flavor }}"
+      - name: Push latest tag
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then
+            echo "Skipping latest push: tagged commit is not on main"
+            exit 0
+          fi
+          CURRENT="${{ github.ref_name }}"
+          LATEST="$(git tag --merged origin/main --sort=-version:refname | head -1)"
+          if [[ "${CURRENT}" != "${LATEST}" ]]; then
+            echo "Skipping latest push: ${CURRENT} is not the highest version tag on main (${LATEST} is)"
+            exit 0
+          fi
+          IMAGE="${{ steps.build-and-push-image.outputs.image-tag }}"
+          LATEST_IMAGE="quay.io/stackrox-io/apollo-ci:${{ matrix.image-flavor }}-latest"
+          docker tag "${IMAGE}" "${LATEST_IMAGE}"
+          docker push "${LATEST_IMAGE}"
       - name: Save image info
         run: |
           mkdir -p image-info
diff --git a/.github/workflows/promote-stable.yaml b/.github/workflows/promote-stable.yaml
new file mode 100644
index 00000000..392b6994
--- /dev/null
+++ b/.github/workflows/promote-stable.yaml
@@ -0,0 +1,31 @@
+name: Promote to stable
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to promote (e.g. 0.5.7). Defaults to 'latest'."
+        required: false
+        default: "latest"
+
+env:
+  QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
+  QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
+
+jobs:
+  promote-stable:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log in to Quay
+        run: |
+          docker login -u "$QUAY_STACKROX_IO_RW_USERNAME" --password-stdin <<<"$QUAY_STACKROX_IO_RW_PASSWORD" quay.io
+      - name: Retag all flavors as stable
+        run: |
+          VERSION="${{ inputs.version }}"
+          VERSION="${VERSION:-latest}"
+          for flavor in scanner-build scanner-test stackrox-build stackrox-test stackrox-ui-test jenkins-plugin; do
+            SRC="quay.io/stackrox-io/apollo-ci:${flavor}-${VERSION}"
+            DST="quay.io/stackrox-io/apollo-ci:${flavor}-stable"
+            echo "Promoting ${SRC} → ${DST}"
+            docker buildx imagetools create --tag "${DST}" "${SRC}"
+          done