diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6cd0365..3c86994 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,13 +15,57 @@ jobs:
       with:
         fetch-depth: '0'
 
-    - name: Build the Docker image
-      run: docker build -t docker-netbootxyz:${{ github.sha }} .
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Login to the Docker Container Registry
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USER }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Login to the GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ secrets.GHCR_USER }}
+        password: ${{ secrets.GHCR_TOKEN }}
+
+    - name: Get latest Webapp release version
+      run: |
+        WEBAPP_RELEASE=$(curl -sX GET "https://api.github.com/repos/netbootxyz/webapp/releases/latest" | jq -r '. | .tag_name')
+        echo "WEBAPP_RELEASE=${WEBAPP_RELEASE}" >> $GITHUB_ENV
+
+    - name: Build and push PR test image
+      uses: docker/build-push-action@v6
+      with:
+        push: true
+        context: .
+        file: ./Dockerfile
+        platforms: linux/amd64,linux/arm64
+        build-args: |
+          WEBAPP_VERSION=${{ env.WEBAPP_RELEASE }}
+          VERSION=pr-${{ github.event.number }}
+          BUILD_DATE=$(date +'%Y-%m-%dT%H:%M:%S')
+        tags: |
+          netbootxyz/netbootxyz:pr-${{ github.event.number }}
+          netbootxyz/netbootxyz:pr-${{ github.event.number }}-${{ github.sha }}
+          ghcr.io/netbootxyz/netbootxyz:pr-${{ github.event.number }}
+          ghcr.io/netbootxyz/netbootxyz:pr-${{ github.event.number }}-${{ github.sha }}
+        labels: |
+          org.opencontainers.image.title=netbootxyz
+          org.opencontainers.image.description=netboot.xyz PR test image
+          org.opencontainers.image.version=pr-${{ github.event.number }}
+          org.opencontainers.image.revision=${{ github.sha }}
+          org.opencontainers.image.source=https://github.com/netbootxyz/docker-netbootxyz
 
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@0.31.0
       with:
-        image-ref: 'docker-netbootxyz:${{ github.sha }}'
+        image-ref: 'ghcr.io/netbootxyz/netbootxyz:pr-${{ github.event.number }}'
         format: 'table'
         exit-code: '1'
         ignore-unfixed: true
diff --git a/Dockerfile b/Dockerfile
index ae8e58d..283067f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -67,8 +67,6 @@ RUN apk add --no-cache \
     sudo \
     supervisor \
     syslog-ng \
-    # Security tools
-    gosu \
     # Runtime libraries
     nghttp2-dev \
     # Create required directories
diff --git a/root/etc/supervisor.conf b/root/etc/supervisor.conf
index ee81096..2684f04 100644
--- a/root/etc/supervisor.conf
+++ b/root/etc/supervisor.conf
@@ -6,17 +6,19 @@ logfile=/tmp/supervisord.log
 pidfile=/run/supervisord.pid
 
 [program:nginx]
-command = gosu nbxyz /usr/sbin/nginx -c /config/nginx/nginx.conf
+command = /usr/sbin/nginx -c /config/nginx/nginx.conf
 startretries = 2
 daemon=off
+user=nbxyz
 priority = 2
 stdout_logfile=/dev/null
 stderr_logfile=/dev/null
 
 [program:webapp]
 environment=NODE_ENV="production",PORT=%(ENV_WEB_APP_PORT)s
-command=gosu nbxyz /usr/bin/node app.js
+command=/usr/bin/node app.js
 directory=/app
+user=nbxyz
 priority = 3
 stdout_logfile=/dev/null
 stderr_logfile=/dev/null
diff --git a/root/start.sh b/root/start.sh
index 8007f11..c96417e 100755
--- a/root/start.sh
+++ b/root/start.sh
@@ -16,6 +16,6 @@ echo "https://opencollective.com/netbootxyz"
 echo "https://github.com/sponsors/netbootxyz"
 echo
 
-# Run supervisord as root (it will use gosu for individual programs)
+# Run supervisord as root
 echo "[start] Starting supervisord (programs will run as nbxyz)"
 exec supervisord -c /etc/supervisor.conf
diff --git a/root/usr/local/bin/dnsmasq-wrapper.sh b/root/usr/local/bin/dnsmasq-wrapper.sh
index c5d72d6..481014e 100644
--- a/root/usr/local/bin/dnsmasq-wrapper.sh
+++ b/root/usr/local/bin/dnsmasq-wrapper.sh
@@ -6,5 +6,5 @@ echo "[dnsmasq] TFTP root: /config/menus"
 echo "[dnsmasq] TFTP security: enabled"
 echo "[dnsmasq] Logging: enabled (dhcp and queries)"
 
-# Start dnsmasq via gosu with logging to stderr (which supervisord can capture)
-exec gosu nbxyz /usr/sbin/dnsmasq --port=0 --keep-in-foreground --enable-tftp --user=nbxyz --tftp-secure --tftp-root=/config/menus --log-facility=- --log-dhcp --log-queries "$@"
\ No newline at end of file
+# Start dnsmasq as root to bind to port 69, then drop privileges to nbxyz
+exec /usr/sbin/dnsmasq --port=0 --keep-in-foreground --enable-tftp --user=nbxyz --tftp-secure --tftp-root=/config/menus --log-facility=- --log-dhcp --log-queries "$@"
\ No newline at end of file