diff --git a/.github/workflows/build_action_runner_image_base.yml b/.github/workflows/build_action_runner_image_base.yml
deleted file mode 100644
index ba57e1734..000000000
--- a/.github/workflows/build_action_runner_image_base.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-name: build_gh_actions_image_base
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "04 05 * * 6"
-
-jobs:
-  build:
-    runs-on: [ self-hosted, linux ]
-    permissions:
-      packages: write
-    steps:
-      - name: 'Make tmp dir'
-        run: mkdir -p build_context
-      - run: |
-          echo "
-              FROM debian:bookworm
-              RUN export DEBIAN_FRONTEND=noninteractive && \
-                  apt-get update && \
-                  apt-get install --yes curl gpg ca-certificates && \
-                  install -m 0755 -d /etc/apt/keyrings && \
-                  curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
-                  chmod a+r /etc/apt/keyrings/docker.gpg && \
-                  echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian/ bookworm stable" > /etc/apt/sources.list.d/docker.list && \
-                  apt-get update && \
-                  apt-get install --yes docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin && \
-                  apt-get clean && \
-                  rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-          " > build_context/Dockerfile
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        uses: docker/build-push-action@v4
-        with:
-          context: build_context/
-          push: true
-          tags: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}/debian_docker:latest"
-      - name: cleanup
-        if: always()
-        run: rm -rf build_context
diff --git a/.github/workflows/build_apps.yaml b/.github/workflows/build_apps.yaml
deleted file mode 100644
index e3c36eeec..000000000
--- a/.github/workflows/build_apps.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-name: build_apps
-
-on:
-  workflow_dispatch:
-
-jobs:
-  bake_applications:
-    runs-on: [ self-hosted, linux ]
-    permissions:
-      packages: write
-      contents: read
-    container:
-      image: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}/debian_docker:latest"
-      options: -v /var/run/docker.sock:/var/run/docker.sock
-      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    env:
-      CR_TAG_BASE: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}"
-      IMAGE_NAME_CONTROL_API: "dl-control-api"
-      IMAGE_NAME_DATA_API: "dl-data-api"
-      BAKE_TARGET_CONTROL_API_APP: "dl_control_api"
-      BAKE_TARGET_DATA_API_APP: "dl_data_api"
-    steps:
-      - name: Log in to the Container registry
-        uses: docker/login-action@v2
-        with:
-          registry: "ghcr.io"
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: 'Cleanup build folder'
-        run: |
-          rm -rf ./* || true
-          rm -rf ./.??* || true
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - run: git config --global --add safe.directory /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
-      - run: |
-          cd docker_build
-          ./run-project-bake "${BAKE_TARGET_CONTROL_API_APP}" --push --set "${BAKE_TARGET_CONTROL_API_APP}.tags=${CR_TAG_BASE}/${IMAGE_NAME_CONTROL_API}:latest" --set "${BAKE_TARGET_CONTROL_API_APP}.tags=${CR_TAG_BASE}/${IMAGE_NAME_CONTROL_API}:$(git rev-parse HEAD)"
-          ./run-project-bake "${BAKE_TARGET_DATA_API_APP}" --push --set "${BAKE_TARGET_DATA_API_APP}.tags=${CR_TAG_BASE}/${IMAGE_NAME_DATA_API}:latest" --set "${BAKE_TARGET_DATA_API_APP}.tags=${CR_TAG_BASE}/${IMAGE_NAME_DATA_API}:$(git rev-parse HEAD)"
diff --git a/.github/workflows/build_debian_docker.yml b/.github/workflows/build_debian_docker.yml
new file mode 100644
index 000000000..a97dd213d
--- /dev/null
+++ b/.github/workflows/build_debian_docker.yml
@@ -0,0 +1,34 @@
+name: "🐳 Build Debian Docker image"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "04 05 * * 6" # every Saturday at 05:04
+
+jobs:
+  build:
+    runs-on: [ self-hosted, linux ]
+    permissions:
+      packages: write
+    env:
+      CR_TAG_BASE: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}"
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.CR_TAG_BASE }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: docker_build/debian_docker
+          push: true
+          tags: "${{ env.CR_TAG_BASE }}/debian_docker:latest"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index ee133070f..711559461 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -16,15 +16,61 @@ on:
         default: false
 
 jobs:
+  push_images:
+    name: "Pull candidate images and push to release"
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    strategy:
+      matrix:
+        image_name:
+        - "dl-control-api"
+        - "dl-data-api"
+    env:
+      cr_url: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}"
+      image_url_base: "${{ env.cr_url }}/${{ matrix.image_name }}"
+      image_url_release: "${{ env.image_url_base }}:${{ github.event.inputs.version }}"
+      image_url_rc: "${{ env.image_url_base }}:${{ github.event.inputs.version }}rc1"
+      image_url_latest: "${{ env.image_url_base }}:latest"
+
+    steps:
+    - name: Log in to the Container registry
+      uses: docker/login-action@v2
+      with:
+        registry: ${{ env.CR_TAG_BASE }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Pull release candidate image
+      id: pull_image
+      run: |
+        echo "Pulling release candidate image"
+        docker pull ${image_url_rc}
+
+    - name: Push release tag
+      id: push_image
+      run: |
+        echo "Pushing release image"
+        docker tag ${{ env.image_url_rc }} ${{ env.image_url_release }}
+        docker push ${{ env.image_url_release }}
+
+    - name: Push latest tag
+      if: ${{ github.event.inputs.make_latest == 'true' }}
+      run: |
+        echo "Pushing latest image"
+        docker tag ${{ env.image_url_rc }} ${{ env.image_url_latest }}
+        docker push ${{ env.image_url_latest }}
+
   release:
     name: "Create release"
+    needs: [push_images]
     runs-on: ubuntu-latest
     permissions:
       contents: write
     env:
       branch: "release/${{ github.event.inputs.version }}"
-    steps:
 
+    steps:
     - name: Checkout code
       id: checkout
       uses: actions/checkout@v2
diff --git a/.github/workflows/release_prerelease.yaml b/.github/workflows/release_prerelease.yaml
index 0f517e50b..a5ea88e58 100644
--- a/.github/workflows/release_prerelease.yaml
+++ b/.github/workflows/release_prerelease.yaml
@@ -24,8 +24,51 @@ on:
         default: false
 
 jobs:
+  build_images:
+    name: "Build images"
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    strategy:
+      matrix:
+        image_name:
+        - "dl-control-api"
+        - "dl-data-api"
+    env:
+      cr_url: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}"
+      image_url_base: "${{ env.cr_url }}/${{ matrix.image_name }}"
+      image_url_rc: "${{ env.image_url_base }}:${{ github.event.inputs.version }}rc1"
+      image_url_release: "${{ env.image_url_base }}:${{ github.event.inputs.version }}"
+
+    steps:
+    - name: Log in to the Container registry
+      uses: docker/login-action@v2
+      with:
+        registry: ${{ env.CR_TAG_BASE }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Checkout code
+      id: checkout
+      uses: actions/checkout@v2
+      with:
+        ref: "${{ env.branch }}"
+        fetch-depth: 0
+
+    - name: Build image
+      working-directory: docker_build
+      run: |
+        image_name="${{ matrix.image_name }}"
+        bake_target="${image_name/-/_}" # replace - with _
+        
+        ./run-project-bake "${bake_target}" \
+          --push \
+          --set "${bake_target}.tags=${{ env.image_url_rc }}"
+          ${{ github.event.inputs.with_release == 'true' && '--set "${bake_target}.tags=${{ env.image_url_release }}"' || '' }}
+
   release:
     name: "Create prerelease"
+    needs: [build_images]
     runs-on: ubuntu-latest
     permissions:
       contents: write
diff --git a/docker_build/debian_docker/Dockerfile b/docker_build/debian_docker/Dockerfile
new file mode 100644
index 000000000..f0b906a71
--- /dev/null
+++ b/docker_build/debian_docker/Dockerfile
@@ -0,0 +1,9 @@
+FROM debian:bookworm
+
+# run all scripts in ./scripts in alphabetical order
+RUN COPY ./scripts /tmp/scripts
+RUN chmod a+x /tmp/scripts/*.sh && \
+    run-parts --regex '.*sh$' \
+    --exit-on-error \
+    /tmp/scripts && \
+    rm -rf /tmp/scripts
diff --git a/docker_build/debian_docker/scripts/000-apt-update.sh b/docker_build/debian_docker/scripts/000-apt-update.sh
new file mode 100755
index 000000000..c188abecc
--- /dev/null
+++ b/docker_build/debian_docker/scripts/000-apt-update.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -eu
+export DEBIAN_FRONTEND=noninteractive
+
+echo 'Updating apt-get...'
+
+apt-get update
diff --git a/docker_build/debian_docker/scripts/100-docker.sh b/docker_build/debian_docker/scripts/100-docker.sh
new file mode 100644
index 000000000..b3a23aab6
--- /dev/null
+++ b/docker_build/debian_docker/scripts/100-docker.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -eu
+export DEBIAN_FRONTEND=noninteractive
+
+echo 'Installing docker packages...'
+
+echo '  Installing docker source list...'
+apt-get install --yes \
+  curl \
+  gpg \
+  ca-certificates
+
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian/ bookworm stable" > /etc/apt/sources.list.d/docker.list
+
+apt-get update
+
+echo '  Installing packages...'
+
+apt-get install --yes \
+    docker-ce \
+    docker-ce-cli \
+    containerd.io \
+    docker-buildx-plugin \
+    docker-compose-plugin
diff --git a/docker_build/debian_docker/scripts/900-apt-cleanup.sh b/docker_build/debian_docker/scripts/900-apt-cleanup.sh
new file mode 100755
index 000000000..8e3ce223a
--- /dev/null
+++ b/docker_build/debian_docker/scripts/900-apt-cleanup.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -eu
+export DEBIAN_FRONTEND=noninteractive
+
+echo 'Cleaning up apt...'
+
+apt-get clean
+rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*