diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 4d70a0b330..7a9905d2e3 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -82,10 +82,6 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      # TODO: fix tagging
-      # ! 'manifest unknown' via `docker pull ghcr.io/pythoninthegrass/musicbot:feat-update_docker`
-      # ! `docker pull ghcr.io/pythoninthegrass/musicbot@sha256:40b2474ed9a12a7276196e1e09956c2b94ddd379ba46c6859ed40740ea41039a` works
-      # ! annotations also only apply to sha256 -- not 'branch/tag' versions
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
@@ -96,7 +92,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64/v8
           cache-from: type=registry,ref=${{ steps.meta.outputs.tags }}
-          cache-to: type=registry,ref=${{ steps.meta.outputs.tags }},mode=max
-          outputs: >
-            type=image,name=${{ steps.meta.outputs.tags }},
-            annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+          cache-to: type=inline
+          outputs: |
+            type=image,name=${{ steps.meta.outputs.tags }},push-by-digest=true,name-canonical=true,push=true
+          provenance: false