diff --git a/.github/workflows/container-publish.yml b/.github/workflows/container-publish.yml
index e49bde56..ad241b9c 100644
--- a/.github/workflows/container-publish.yml
+++ b/.github/workflows/container-publish.yml
@@ -1,32 +1,45 @@
 name: Container
 
 on:
-  push:
-    branches:
-      - 'main'
-      - 'develop'
-    tags:
-      - 'v*'
   workflow_run:
-    workflows: [ Releaser ]
+    workflows: [ "CI (Podman Devcontainer)", Releaser ]
     types:
       - completed
-  pull_request:
+  workflow_dispatch:
 
 jobs:
   prepare-checkout:
-    if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
+    # run on: manual dispatch, successful Releaser, or successful CI on main
+    if: >-
+      github.event_name == 'workflow_dispatch' ||
+      (github.event.workflow_run.conclusion == 'success' &&
+       (github.event.workflow_run.name == 'Releaser' ||
+        github.event.workflow_run.head_branch == 'main'))
     name: Prepare ref
     runs-on: ubuntu-latest
     outputs:
-      ref: ${{ github.event_name != 'workflow_run' && github.ref || steps.releaser.outputs.version }}
+      checkout-ref: ${{ steps.ref.outputs.checkout-ref }}
+      tag: ${{ steps.ref.outputs.tag }}
     steps:
       - name: Get Ref from releaser
         id: releaser
-        if: github.event_name == 'workflow_run'
+        if: github.event.workflow_run.name == 'Releaser'
         uses: ipdxco/unified-github-workflows/.github/actions/inspect-releaser@v0.0
         with:
           artifacts-url: ${{ github.event.workflow_run.artifacts_url }}
+      - name: Resolve ref
+        id: ref
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "checkout-ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+          elif [ "${{ github.event.workflow_run.name }}" = "Releaser" ]; then
+            echo "checkout-ref=${{ steps.releaser.outputs.version }}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ steps.releaser.outputs.version }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "checkout-ref=${{ github.event.workflow_run.head_sha }}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ github.event.workflow_run.head_branch }}" >> "$GITHUB_OUTPUT"
+          fi
   publish:
     name: Publish
     needs: [ prepare-checkout ]
@@ -36,33 +49,32 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
-          ref: ${{ needs.prepare-checkout.outputs.ref }}
+          ref: ${{ needs.prepare-checkout.outputs.checkout-ref }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Log in to the Container registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ github.token }}
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
-            type=semver,pattern={{raw}}
-            type=ref,event=branch
-            type=raw,value=${{ needs.prepare-checkout.outputs.ref }}
+            type=semver,pattern={{raw}},value=${{ needs.prepare-checkout.outputs.tag }}
+            type=raw,value=${{ needs.prepare-checkout.outputs.tag }}
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64