diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index c3290905..a5f3dfee 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -86,15 +86,22 @@ jobs:
                 username: ${{ github.actor }}
                 password: ${{ secrets.GITHUB_TOKEN }}
 
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+                        
             - name: Download GoReleaser
               run: go install github.com/goreleaser/goreleaser@v1.23.0
 
             - name: Run GoReleaser
-              uses: testifysec/witness-run-action@85ddab8b46a86b2905a3b547a1806ab264fbb810
+              uses: testifysec/witness-run-action@cceed291062b350dc658d7d189933ac47d4f4dec
               env:
                 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                 GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
               with:
+                witness-install-dir: /opt/witness
                 step: "build"
                 attestations: "github"
                 command: goreleaser release --clean
diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
index 25d88e8d..d2060dec 100644
--- a/.github/workflows/witness.yml
+++ b/.github/workflows/witness.yml
@@ -49,8 +49,9 @@ jobs:
               go-version: 1.21.x
 
           - if: ${{ inputs.pull_request == false }}
-            uses: testifysec/witness-run-action@85ddab8b46a86b2905a3b547a1806ab264fbb810
+            uses: testifysec/witness-run-action@cceed291062b350dc658d7d189933ac47d4f4dec
             with:
+              witness-install-dir: /opt/witness
               step: ${{ inputs.step }}
               attestations: ${{ inputs.attestations }}
               command: /bin/sh -c "${{ inputs.command }}"
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 101e6b80..9462a99a 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -74,18 +74,56 @@ release:
   prerelease: auto
   github:
     owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}"
+dockers:
+  - image_templates:
+    - "ghcr.io/in-toto/archivista:{{ .Version }}-amd64"
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+    extra_files:
+      - "archivista.graphql"
+      - "ent.graphql"
+      - "ent.resolvers.go"
+      - "entrypoint.sh"
+      - "gen.go"
+      - "generated.go"
+      - "go.mod"
+      - "go.sum"
+      - "resolver.go"
+      - "docs"
+      - "ent"
+      - "cmd"
+      - "ent"
+      - "pkg"
+  - image_templates:
+    - "ghcr.io/in-toto/archivista:{{ .Version }}-arm64"
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+    extra_files:
+      - "archivista.graphql"
+      - "ent.graphql"
+      - "ent.resolvers.go"
+      - "entrypoint.sh"
+      - "gen.go"
+      - "generated.go"
+      - "go.mod"
+      - "go.sum"
+      - "resolver.go"
+      - "docs"
+      - "ent"
+      - "cmd"
+      - "ent"
+      - "pkg"
+    goarch: arm64
+docker_manifests:
+  - name_template: "ghcr.io/in-toto/archivista:{{ .Version }}"
+    image_templates:
+      - "ghcr.io/in-toto/archivista:{{ .Version }}-amd64"
+      - "ghcr.io/in-toto/archivista:{{ .Version }}-arm64"
 kos:
-  - repository: ghcr.io/in-toto/archivista
-    id: archivista
-    build: archivista
-    tags:
-    - '{{.Version}}'
-    bare: true
-    preserve_import_paths: false
-    creation_time: '{{.CommitTimestamp}}'
-    platforms:
-    - linux/amd64
-    - linux/arm64
   - repository: ghcr.io/in-toto/archivistactl
     id: archivistactl
     build: archivistactl