diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
new file mode 100644
index 00000000..5ec708b7
--- /dev/null
+++ b/.github/workflows/cd.yml
@@ -0,0 +1,115 @@
+# When a PR is merged, or when run manually, this workflow will create a
+# release and publish the container image to the GitHub Container Registry. Both
+# will be labeled with the version specified in the manifest file.
+name: Continuous Delivery
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  CONTAINER_REGISTRY: ghcr.io
+  CONTAINER_REGISTRY_USERNAME: ${{ github.actor  }}
+  CONTAINER_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+  MANIFEST_PATH: action.yml
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  publish:
+    name: Publish Container Image
+    runs-on: ubuntu-latest
+
+    # Ignore Dependabot pull requests.
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      (github.event.pull_request.merged == true &&
+      startsWith(github.head_ref, 'dependabot/') == false)
+
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          ref: main
+
+      - name: Check Version
+        id: version
+        uses: issue-ops/semver@v2
+        with:
+          check-only: true
+          manifest-path: ${{ env.MANIFEST_PATH }}
+          ref: main
+          workspace: ${{ github.workspace }}
+
+      # Create the list of image tags that will be published. If a prerelease is
+      # being published (e.g. `1.2.3-alpha.4`), only the prerelease tag will be
+      # published (`v1.2.3-alpha.4`). Otherwise, the following tags will be
+      # published:
+      # - `latest`
+      # - `v1.2.3`
+      # - `v1.2`
+      # - `v1`
+      - name: Set Image Tags
+        id: tags
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const version = '${{ steps.version.outputs.version }}'
+
+            // Check if prerelease (e.g. 1.2.3-alpha.4)
+            if (version.includes('-')) {
+              // Only output the prerelease tag
+              core.setOutput('tags', `type=raw,value=v${version}`)
+            } else {
+              // Output all the tags
+              let tags = [
+                'type=raw,value=latest',
+                `type=raw,value=v${version}`,
+                `type=raw,value=v${version.split('.').slice(0, 2).join('.')}`,
+                `type=raw,value=v${version.split('.')[0]}`
+              ]
+              core.setOutput('tags', tags.join('\n'))
+            }
+
+      # Get metadata to apply to image
+      - name: Extract Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}
+          tags: ${{ steps.tags.outputs.tags }}
+
+      # Authenticate to the container registry
+      - name: Authenticate to Container Registry
+        id: login
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          username: ${{ env.CONTAINER_REGISTRY_USERNAME }}
+          password: ${{ env.CONTAINER_REGISTRY_PASSWORD }}
+
+      # Publish the container image
+      - name: Publish Container Image
+        id: publish
+        uses: docker/build-push-action@v6
+        env:
+          LABELS: ${{ steps.meta.outputs.labels }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        with:
+          labels: ${{ env.LABELS }}
+          push: true
+          tags: ${{ env.TAGS }}
+
+      - name: Create Release
+        id: release
+        uses: issue-ops/releaser@v2
+        with:
+          tag: v${{ steps.version.outputs.version }}
\ No newline at end of file
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
new file mode 100644
index 00000000..a696bc34
--- /dev/null
+++ b/.github/workflows/version-check.yml
@@ -0,0 +1,39 @@
+# This workflow checks the version of the container image that is being built
+# in the current pull request. If the version has already been published, the
+# workflow fails to prevent PRs from being merged until the version has been
+# incremented in the manifest file.
+name: Version Check
+
+on:
+  pull_request:
+    branches:
+      - main
+
+env:
+  MANIFEST_PATH: action.yml
+
+permissions:
+  checks: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  check-version:
+    name: Version Check
+    runs-on: ubuntu-latest
+
+    if: ${{ github.actor != 'dependabot[bot]' }}
+
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+
+      - name: Check Version
+        id: check-version
+        uses: issue-ops/semver@v2
+        with:
+          check-only: true
+          manifest-path: ${{ env.MANIFEST_PATH }}
\ No newline at end of file
diff --git a/action.yml b/action.yml
index 15dca12c..1691e67e 100644
--- a/action.yml
+++ b/action.yml
@@ -3,7 +3,7 @@ name: 'LaunchDarkly Code References in Pull Request'
 description: 'Find references to feature flags in your pull request'
 runs:
   using: 'docker'
-  image: 'Dockerfile'
+  image: 'docker://ghcr.io/ln-zap/find-code-references-in-pull-request:latest'
   env:
     LD_PROJ_KEY: ${{ inputs.project-key }}
     LD_ACCESS_TOKEN: ${{ inputs.access-token }}