diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 4125115bd..a8161ee6c 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -16,6 +16,7 @@ on:
 permissions:
   id-token: write
   contents: read
+  packages: write
 
 jobs:
   lint:
@@ -53,13 +54,13 @@ jobs:
     needs: [lint, check-yarn-lock]
     outputs:
       migrations_docker_version: ${{ steps.migrations-docker-metadata.outputs.version }}
-      activitypub_docker_version: ${{ steps.activitypub-docker-metadata.outputs.version }}
+      activitypub_docker_version: ${{ steps.activitypub-docker-metadata-private.outputs.version }}
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
 
-      - name: "ActivityPub Docker meta"
-        id: activitypub-docker-metadata
+      - name: "ActivityPub Docker metadata for private registry"
+        id: activitypub-docker-metadata-private
         uses: docker/metadata-action@v5
         with:
           images: |
@@ -72,6 +73,34 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
             type=sha,priority=1100
+          labels: |
+            org.opencontainers.image.title=Ghost — ActivityPub
+            org.opencontainers.image.description=Federate your Ghost site with ActivityPub to join the world's largest open network.
+            org.opencontainers.image.vendor=Ghost Foundation
+            org.opencontainers.image.licenses=MIT
+            org.opencontainers.image.documentation=https://github.com/TryGhost/ActivityPub
+            org.opencontainers.image.source=https://github.com/TryGhost/ActivityPub
+
+      - name: "ActivityPub Docker metadata for public registry"
+        id: activitypub-docker-metadata-public
+        if: github.ref == 'refs/heads/main'
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/tryghost/activitypub
+          tags: |
+            type=edge,branch=main
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,priority=1100
+          labels: |
+            org.opencontainers.image.title=Ghost — ActivityPub
+            org.opencontainers.image.description=Federate your Ghost site with ActivityPub to join the world's largest open network.
+            org.opencontainers.image.vendor=Ghost Foundation
+            org.opencontainers.image.licenses=MIT
+            org.opencontainers.image.documentation=https://github.com/TryGhost/ActivityPub
+            org.opencontainers.image.source=https://github.com/TryGhost/ActivityPub
 
       - name: "Migrations Docker meta"
         id: migrations-docker-metadata
@@ -93,7 +122,8 @@ jobs:
         with:
           context: .
           load: true
-          tags: ${{ steps.activitypub-docker-metadata.outputs.tags }}
+          tags: ${{ steps.activitypub-docker-metadata-private.outputs.tags }}
+          labels: ${{ steps.activitypub-docker-metadata-private.outputs.labels }}
 
       - name: "Build Docker Image for Migrations"
         uses: docker/build-push-action@v6
@@ -114,7 +144,7 @@ jobs:
           workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
           service_account: stg-activitypub-cicd@ghost-activitypub.iam.gserviceaccount.com
 
-      - name: "Login to GCP Artifact Registry"
+      - name: "Login to GCP Artifact Registry (private registry)"
         if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled'))
         uses: docker/login-action@v3
         with:
@@ -122,13 +152,33 @@ jobs:
           username: oauth2accesstoken
           password: ${{ steps.gcp-auth.outputs.access_token }}
 
-      - name: "Push ActivityPub Docker Image"
+      - name: "Login to GitHub Container Registry (public registry)"
+        if: github.ref == 'refs/heads/main'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Push ActivityPub Docker image to private registry"
         if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled'))
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          tags: ${{ steps.activitypub-docker-metadata.outputs.tags }}
+          tags: ${{ steps.activitypub-docker-metadata-private.outputs.tags }}
+          labels: ${{ steps.activitypub-docker-metadata-private.outputs.labels }}
+          platforms: linux/amd64
+
+      - name: "Push ActivityPub Docker image to public registry"
+        if: github.ref == 'refs/heads/main'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.activitypub-docker-metadata-public.outputs.tags }}
+          labels: ${{ steps.activitypub-docker-metadata-public.outputs.labels }}
+          platforms: linux/amd64
 
       - name: "Push Migrations Docker Image"
         if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled'))