diff --git a/.drone.yml b/.drone.yml
deleted file mode 100644
index 4c29720..0000000
--- a/.drone.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-pipeline:
-  build:
-    image: golang:1.17
-    commands:
-    - make test build
-
-  docker-latest:
-    image: plugins/docker
-    repo: quay.io/uswitch/heimdall
-    registry: quay.io
-    secrets: [ docker_username, docker_password ]
-    tags:
-      - latest
-    when:
-      event: push
-      branch: main
-
-  docker-tagged:
-    image: plugins/docker
-    repo: quay.io/uswitch/heimdall
-    registry: quay.io
-    secrets: [ docker_username, docker_password ]
-    tags:
-      - ${DRONE_TAG}
-    when:
-      event: tag
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
new file mode 100644
index 0000000..71b869c
--- /dev/null
+++ b/.github/workflows/push.yaml
@@ -0,0 +1,56 @@
+name: push
+on: push
+permissions:
+  contents: read
+  id-token: write
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.17"
+      - run: make test
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.17"
+      - run: make build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: bin
+          path: bin/
+  docker-build-push:
+    if: github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v')
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: bin
+          path: bin/
+      - name: Login to Quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+      - id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: quay.io/uswitch/heimdall
+          tags: |
+            type=semver,pattern={{raw}}
+            type=sha,prefix=,format=long,
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
diff --git a/Dockerfile b/Dockerfile
index 28b9a56..6f103c7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM gcr.io/distroless/static:nonroot
 
 WORKDIR /
 
-COPY bin/heimdall-linux-amd64 heimdall
+COPY --chmod=755 bin/heimdall-linux-amd64 heimdall
 
 USER nonroot:nonroot