diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 45bda5e..89bce40 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -77,6 +77,7 @@ jobs:
             echo "new=true" >> $GITHUB_OUTPUT
           fi
 
+      # Create the GitHub release only when the version in package.json is new.
       - name: Create GitHub release
         if: steps.check.outputs.new == 'true'
         env:
@@ -86,8 +87,11 @@ jobs:
             --title "v${{ steps.check.outputs.version }}" \
             --generate-notes
 
+      # The image is built + pushed on EVERY main push (not gated on a new
+      # version) so ghcr.io/orkait/hyperstack:main and :latest always track the
+      # current main. Installs pull :main and get the latest. The :<version> tag
+      # lets users pin a release.
       - name: Log in to GitHub Container Registry
-        if: steps.check.outputs.new == 'true'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
@@ -95,18 +99,20 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
-        if: steps.check.outputs.new == 'true'
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=main,enable={{is_default_branch}}
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=${{ steps.check.outputs.version }}
+            type=sha
 
       - name: Set up Docker Buildx
-        if: steps.check.outputs.new == 'true'
         uses: docker/setup-buildx-action@v3
 
       - name: Build and push Docker image
-        if: steps.check.outputs.new == 'true'
         uses: docker/build-push-action@v6
         with:
           context: .