diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index a02e9900c..051d24a22 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -2,8 +2,17 @@ name: Create docker images
 
 on:
   push:
-    tags:
-      - 'v*.*.*'
+    branches:
+      - master
+      - main
+      - dev
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches:
+      - master
+      - main
+      - dev
   workflow_dispatch:
 
 jobs:
@@ -13,31 +22,36 @@ jobs:
     permissions:
       contents: read
       packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
       id-token: write
 
     strategy:
       matrix:
-        db-type: [postgresql]
+        db-type: [postgresql, mysql]
 
     steps:
       - uses: actions/checkout@v5
 
-      # Install cosign (for image signing)
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
       - name: Install cosign
+        if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log into Docker Hub
-        if: github.repository == 'umami-software/umami'
+      - name: Log into registry docker.io
+        if: github.event_name != 'pull_request' && github.repository == 'umami-software/umami' 
         uses: docker/login-action@v3
         with:
           registry: docker.io
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Log into GHCR
+      - name: Log into ghcr registry 
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -55,8 +69,14 @@ jobs:
             latest=auto
             prefix=${{ matrix.db-type }}-
           tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+
+            # output 1.1.2
             type=semver,pattern={{version}}
+            # output 1.1
             type=semver,pattern={{major}}.{{minor}}
+            # output 1
             type=semver,pattern={{major}}
 
       - name: Build and push Docker image
@@ -66,14 +86,15 @@ jobs:
           context: .
           platforms: linux/amd64,linux/arm64
           build-args: DATABASE_TYPE=${{ matrix.db-type }}
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      # Sign the published image digest
+      # Sign the resulting Docker image digest except on PRs.
       - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
         env:
           TAGS: ${{ steps.meta.outputs.tags }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
diff --git a/.github/workflows/delete-untagged-images.yml b/.github/workflows/delete-untagged-images.yml
deleted file mode 100644
index a23a1bd27..000000000
--- a/.github/workflows/delete-untagged-images.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-name: Delete untagged GHCR images
-
-on:
-  workflow_dispatch: # Run manually from the Actions tab
-
-jobs:
-  cleanup:
-    name: Delete all untagged images
-    runs-on: ubuntu-latest
-
-    permissions:
-      packages: write
-      contents: read
-
-    steps:
-      - name: Delete untagged GHCR images
-        uses: actions/delete-package-versions@v5
-        with:
-          package-name: "umami" # 👈 change if your GHCR package name differs
-          package-type: "container"
-          delete-only-untagged-versions: true
-          min-versions-to-keep: 0