diff --git a/.github/workflows/cd-manual.yml b/.github/workflows/cd-manual.yml
new file mode 100644
index 000000000..df6aa6289
--- /dev/null
+++ b/.github/workflows/cd-manual.yml
@@ -0,0 +1,58 @@
+name: Create docker images (manual)
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        type: string
+        description: Version
+        required: true
+
+jobs:
+  build:
+    name: Build, push, and deploy
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        db-type: [postgresql]
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Extract version parts from input
+        id: extract_version
+        run: |
+          echo "version=$(echo ${{ github.event.inputs.version }})" >> $GITHUB_ENV
+          echo "major=$(echo ${{ github.event.inputs.version }} | cut -d. -f1)" >> $GITHUB_ENV
+          echo "minor=$(echo ${{ github.event.inputs.version }} | cut -d. -f2)" >> $GITHUB_ENV
+
+      - name: Generate tags
+        id: generate_tags
+        run: |
+          echo "tag_major=$(echo ${{ matrix.db-type }}-${{ env.major }})" >> $GITHUB_ENV
+          echo "tag_minor=$(echo ${{ matrix.db-type }}-${{ env.major }}.${{ env.minor }})" >> $GITHUB_ENV
+          echo "tag_patch=$(echo ${{ matrix.db-type }}-${{ env.version }})" >> $GITHUB_ENV
+          echo "tag_latest=$(echo ${{ matrix.db-type }}-latest)" >> $GITHUB_ENV
+
+      - uses: mr-smithers-excellent/docker-build-push@v6
+        name: Build & push Docker image to ghcr.io for ${{ matrix.db-type }}
+        with:
+          image: umami
+          tags: ${{ env.tag_major }}, ${{ env.tag_minor }}, ${{ env.tag_patch }}, ${{ env.tag_latest }}
+          buildArgs: DATABASE_TYPE=${{ matrix.db-type }}
+          registry: ghcr.io
+          multiPlatform: true
+          platform: linux/amd64,linux/arm64
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: mr-smithers-excellent/docker-build-push@v6
+        name: Build & push Docker image to docker.io for ${{ matrix.db-type }}
+        with:
+          image: umamisoftware/umami
+          tags: ${{ env.tag_major }}, ${{ env.tag_minor }}, ${{ env.tag_patch }}, ${{ env.tag_latest }}
+          buildArgs: DATABASE_TYPE=${{ matrix.db-type }}
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index a4934e797..3098d314b 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -50,10 +50,11 @@ jobs:
         run: |
           INPUT="${{ github.event.inputs.version }}"
           if [[ -n "$INPUT" ]]; then
+            # Strip leading v if present
             VERSION="${INPUT#v}"
             MAJOR=$(echo "$VERSION" | cut -d. -f1)
             MINOR=$(echo "$VERSION" | cut -d. -f2)
-            echo "version_tags=${VERSION},${MAJOR}.${MINOR},${MAJOR},latest" >> $GITHUB_ENV
+            echo "version_tags=${VERSION},${MAJOR}.${MINOR},${MAJOR}" >> $GITHUB_ENV
           else
             echo "version_tags=" >> $GITHUB_ENV
           fi
@@ -68,11 +69,17 @@ jobs:
           flavor: |
             latest=auto
           tags: |
+            # Semver tags from real Git tags
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
+
+            # Manual input derived tags
             type=raw,value=${{ env.version_tags }},enable=${{ env.version_tags != '' }}
+
+            # Fallbacks for branches/PRs
             type=ref,event=branch
+            type=ref,event=pr
             type=sha
 
       - name: Build and push Docker image
@@ -86,13 +93,9 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          provenance: false # disable automatic attestations
-
-      # Generate a local provenance attestation instead of uploading signatures
-      - name: Generate provenance attestation
-        run: |
-          cosign attest --yes \
-            --predicate <(echo '{"build":"github-actions","repo":"${{ github.repository }}","run_id":"${{ github.run_id }}"}') \
-            --type slsaprovenance \
-            ${{ steps.meta.outputs.tags }}
 
+      - name: Sign the published Docker image
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"
diff --git a/.github/workflows/delete-untagged-images.yml b/.github/workflows/delete-untagged-images.yml
new file mode 100644
index 000000000..a23a1bd27
--- /dev/null
+++ b/.github/workflows/delete-untagged-images.yml
@@ -0,0 +1,22 @@
+name: Delete untagged GHCR images
+
+on:
+  workflow_dispatch: # Run manually from the Actions tab
+
+jobs:
+  cleanup:
+    name: Delete all untagged images
+    runs-on: ubuntu-latest
+
+    permissions:
+      packages: write
+      contents: read
+
+    steps:
+      - name: Delete untagged GHCR images
+        uses: actions/delete-package-versions@v5
+        with:
+          package-name: "umami" # 👈 change if your GHCR package name differs
+          package-type: "container"
+          delete-only-untagged-versions: true
+          min-versions-to-keep: 0