diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index 0f4a3ec6..d37a441c 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -30,7 +30,7 @@ jobs:
       packages: write
     # Condition: Run on push to main, published release, OR PR with 'ok-to-image' label
     if: |
-      github.event_name == 'push' || 
+      github.event_name == 'push' ||
       (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ok-to-image')) ||
       (github.event_name == 'release' && github.event.action == 'published')
     runs-on: ubuntu-latest
@@ -65,7 +65,7 @@ jobs:
           version: latest
           endpoint: builders
       - name: Login to GHCR
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'ok-to-image')
         uses: docker/login-action@v4
         with:
           registry: ghcr.io
@@ -77,7 +77,7 @@ jobs:
         with:
           context: .
           platforms: linux/amd64, linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'ok-to-image') }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          target: ${{ matrix.image.target }}
\ No newline at end of file
+          target: ${{ matrix.image.target }}
diff --git a/Dockerfile b/Dockerfile
index adaa7ed2..96d9f3ee 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,13 +39,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg \
-    GOOS=$TARGETOS GOARCH=$TARGETARCH GO111MODULE=on go build -ldflags="${LDFLAGS}" -a -o libvirt-provider ./cmd/libvirt-provider/main.go
+    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH GO111MODULE=on go build -ldflags="${LDFLAGS}" -a -o libvirt-provider ./cmd/libvirt-provider/main.go
 
 
 # Install irictl-machine
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg \
-    GOOS=$TARGETOS GOARCH=$TARGETARCH GO111MODULE=on \
+    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH GO111MODULE=on \
     go install github.com/ironcore-dev/ironcore/irictl-machine/cmd/irictl-machine@main
 
 # Ensure the binary is in a common location
@@ -59,7 +59,7 @@ RUN if [ "$TARGETARCH" = "$BUILDARCH" ]; then \
 FROM busybox:1.37.0-uclibc AS busybox
 
 # Since we're leveraging apt to pull in dependencies, we use `gcr.io/distroless/base` because it includes glibc.
-FROM gcr.io/distroless/base-debian11  AS libvirt-provider
+FROM gcr.io/distroless/static-debian13  AS libvirt-provider
 
 WORKDIR /
 COPY --from=busybox /bin/sh /bin/sh