diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 4d70a0b33..c8479b264 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,80 +1,75 @@
-name: Publish Docker images
+name: CI
 
 on:
   push:
     branches:
       - 'main'
       - 'master'
-      - 'feat/**'
     tags:
       - '*.*.*'
     paths:
-      - '.dockerignore'
-      - '.env.example'
-      - '.github/workflows/**'
-      - '**.bat'
-      - '**.ps1'
-      - '**.py'
-      - '**.sh'
-      - 'bin/**'
-      - 'config/**'
       - 'Dockerfile*'
-      - 'musicbot.service'
-      - 'musicbot/**'
-      - 'musicbotcmd'
-      - 'poetry.lock'
       - 'pyproject.toml'
+      - 'poetry.lock'
       - 'requirements.txt'
+      - '**.py'
+      - '**.sh'
+      - '.dockerignore'
+      - '.env.example'
+      - '.github/workflows/**'
   workflow_dispatch:
 
 env:
   REGISTRY_URL: ${{ vars.REGISTRY_URL }}
   REGISTRY_USER: ${{ vars.REGISTRY_USER }}
-  REGISTRY_PASS: ${{ secrets.REGISTRY_PASS }}
 
 jobs:
-  push_to_registry:
-    name: Push Docker image to container registry
+  build:
+    name: Build and push Docker image
     runs-on: ubuntu-latest
     strategy:
-      matrix:
-        dockerfile: [Dockerfile]
-    concurrency:
-      group: ${{ github.workflow }}-${{ matrix.dockerfile }}-${{ github.ref }}
-      cancel-in-progress: true
-    permissions:
-      packages: write
-      contents: read
-      actions: read
+      fail-fast: true
     steps:
-      - name: Check out the repo
+      - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Log into container registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY_URL }}
-          username: ${{ env.REGISTRY_URL == 'ghcr.io' && github.repository_owner || env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_URL == 'ghcr.io' && secrets.GITHUB_TOKEN || env.REGISTRY_PASS }}
-
       - name: Extract image name from Dockerfile
         id: image_name
         run: |
-          IMAGE=$(grep "LABEL org.opencontainers.image.title" ${{ matrix.dockerfile }} | cut -d'"' -f2)
+          IMAGE=$(grep "LABEL org.opencontainers.image.title" Dockerfile | cut -d'"' -f2)
           echo "IMAGE=$IMAGE" >> $GITHUB_OUTPUT
 
-      - name: Extract metadata (tags, labels) for Docker
+      - name: Set password by container registry
+        run: |
+          case "${{ env.REGISTRY_URL }}" in
+            "ghcr.io")
+              echo "REGISTRY_PASS=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+              ;;
+            *)
+              if [ -n "${{ secrets.REGISTRY_PASS }}" ]; then
+                echo "REGISTRY_PASS=${{ secrets.REGISTRY_PASS }}" >> $GITHUB_ENV
+              else
+                echo "REGISTRY_PASS secret is not set and registry is not recognized. Exiting..."
+                exit 1
+              fi
+              ;;
+          esac
+
+      - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: |
-            ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_URL == 'ghcr.io' && github.repository_owner || env.REGISTRY_USER }}/${{ steps.image_name.outputs.IMAGE }}
+            ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.image_name.outputs.IMAGE }}
           tags: |
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' }}
+            type=schedule
             type=ref,event=branch
+            type=ref,event=pr
             type=semver,pattern={{version}}
-          flavor: |
-            latest=false
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+            type=raw,value=latest,enable={{is_default_branch}}
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -82,21 +77,19 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      # TODO: fix tagging
-      # ! 'manifest unknown' via `docker pull ghcr.io/pythoninthegrass/musicbot:feat-update_docker`
-      # ! `docker pull ghcr.io/pythoninthegrass/musicbot@sha256:40b2474ed9a12a7276196e1e09956c2b94ddd379ba46c6859ed40740ea41039a` works
-      # ! annotations also only apply to sha256 -- not 'branch/tag' versions
-      - name: Build and push Docker image
+      - name: Login to container registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY_URL }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASS }}
+
+      - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: .
-          file: ./${{ matrix.dockerfile }}
-          push: true
+          platforms: linux/amd64,linux/arm64/v8
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64/v8
-          cache-from: type=registry,ref=${{ steps.meta.outputs.tags }}
-          cache-to: type=registry,ref=${{ steps.meta.outputs.tags }},mode=max
-          outputs: >
-            type=image,name=${{ steps.meta.outputs.tags }},
-            annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}