diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 289b6449..fdaf9084 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -39,6 +39,10 @@ jobs:
       sys_versions: ${{vars.SYS_VERSIONS || env.default_sys_versions}}
       machines: ${{vars.MACHINES || env.default_machines}}
       release_url: ${{steps.release.outputs.upload_url}}
+      check_pkgs: ${{vars.CHECK_PKGS || 'false'}}
+      complement: ${{vars.COMPLEMENT || 'true'}}
+      complement_runner: 'het'
+      docker_repo: ${{vars.DOCKER_REPO}}
 
     strategy:
       fail-fast: true
@@ -149,7 +153,8 @@ jobs:
     needs: [init, lint]
     uses: ./.github/workflows/test.yml
     with:
-      complement: ${{fromJSON(vars.COMPLEMENT || 'true')}}
+      complement: ${{fromJSON(needs.init.outputs.complement)}}
+      complement_runner: ${{needs.init.outputs.complement_runner}}
       cargo_profiles: ${{needs.init.outputs.cargo_profiles}}
       feat_sets: ${{needs.init.outputs.feat_sets}}
       rust_toolchains: ${{needs.init.outputs.rust_toolchains}}
@@ -158,7 +163,6 @@ jobs:
       sys_targets: ${{needs.init.outputs.sys_targets}}
       sys_versions: ${{needs.init.outputs.sys_versions}}
       machines: ${{needs.init.outputs.machines}}
-      complement_runner: 'het'
       excludes: >
         [
           {"cargo_profile": "test", "rust_toolchain": "stable", "feat_set": "none"},
@@ -186,6 +190,7 @@ jobs:
     uses: ./.github/workflows/package.yml
     with:
       release_url: ${{needs.init.outputs.release_url}}
+      check_pkgs: ${{needs.init.outputs.check_pkgs}}
       cargo_profiles: ${{needs.init.outputs.cargo_profiles}}
       feat_sets: ${{needs.init.outputs.feat_sets}}
       rust_toolchains: ${{needs.init.outputs.rust_toolchains}}
@@ -224,7 +229,7 @@ jobs:
     needs: [init, test, package]
     uses: ./.github/workflows/publish.yml
     with:
-      docker_repo: ${{vars.DOCKER_REPO}}
+      docker_repo: ${{needs.init.outputs.docker_repo}}
       release_url: ${{needs.init.outputs.release_url}}
       cargo_profiles: ${{needs.init.outputs.cargo_profiles}}
       feat_sets: ${{needs.init.outputs.feat_sets}}
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 76e67418..cb0e3f4e 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -38,6 +38,9 @@ on:
       release_url:
         type: string
         description: For release assets
+      check_pkgs:
+        type: string
+        default: 'false'
 
 jobs:
   book:
@@ -179,7 +182,7 @@ jobs:
       && contains(fromJSON(inputs.feat_sets), fromJSON('["all"]')[0])
       && contains(fromJSON(inputs.cargo_profiles), fromJSON('["release"]')[0])
       && contains(fromJSON(inputs.rust_toolchains), fromJSON('["stable"]')[0])
-      && github.ref == 'refs/heads/main'
+      && fromJSON(inputs.check_pkgs)
 
     name: Check Packages
     needs: [pkgs]
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 089942ff..c16bc247 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -75,11 +75,10 @@ jobs:
     name: Containers
     runs-on: ${{matrix.machine}}
     permissions: write-all
-    continue-on-error: false
     strategy:
       fail-fast: true
       matrix:
-        bake_target: ${{fromJSON('["github", "dockerhub"]')}}
+        bake_target: ${{fromJSON('["docker_io", "ghcr_io"]')}}
         cargo_profile: ${{fromJSON(inputs.cargo_profiles)}}
         rust_toolchain: ${{fromJSON(inputs.rust_toolchains)}}
         feat_set: ${{fromJSON(inputs.feat_sets)}}
@@ -92,6 +91,10 @@ jobs:
         include: ${{fromJSON(inputs.includes)}}
 
     steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - name: GitHub Login
         uses: docker/login-action@v3
         with:
@@ -120,8 +123,157 @@ jobs:
           acct: ${{github.actor}}
           repo: ${{github.repository}}
           docker_repo: ${{inputs.docker_repo}}
-          docker_tag_preview: ${{ matrix.cargo_profile == 'release' && matrix.feat_set == 'all' && matrix.sys_target == 'x86_64-linux-gnu' && contains(github.ref, 'refs/tags/v') }}
-          docker_tag_latest: ${{ matrix.cargo_profile == 'release' && matrix.feat_set == 'all' && matrix.sys_target == 'x86_64-linux-gnu' && contains(github.ref, 'refs/tags/v') && !contains(github.ref, '-rc') }}
 
         run: |
           docker/bake.sh "${{matrix.bake_target}}"
+
+  bundles:
+    if: >
+      !failure() && !cancelled()
+      && inputs.machines
+      && inputs.docker_repo != ''
+      && contains(fromJSON(inputs.cargo_profiles), fromJSON('["release"]')[0])
+      && contains(fromJSON(inputs.feat_sets), fromJSON('["all"]')[0])
+      && contains(fromJSON(inputs.rust_toolchains), fromJSON('["stable"]')[0])
+      && contains(github.ref, 'refs/tags/v')
+      && !contains(github.ref, '-draft')
+
+    name: Bundles
+    needs: [containers]
+    runs-on: 'het'
+    permissions: write-all
+    strategy:
+      fail-fast: true
+      matrix:
+        bake_target: ${{fromJSON('["docker_io", "ghcr_io"]')}}
+        cargo_profile: ${{fromJSON('["release"]')}}
+        feat_set: ${{fromJSON('["all"]')}}
+        rust_toolchain: ${{fromJSON('["stable"]')}}
+        sys_name: ${{fromJSON(inputs.sys_names)}}
+        sys_version: ${{fromJSON(inputs.sys_versions)}}
+        rust_target: ${{fromJSON(inputs.rust_targets)}}
+        sys_target: ${{fromJSON(inputs.sys_targets)}}
+        machine: ${{fromJSON(inputs.machines)}}
+        exclude: ${{fromJSON(inputs.excludes)}}
+        include: ${{fromJSON(inputs.includes)}}
+
+    steps:
+      - name: GitHub Login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.ghcr_token }}
+
+      - name: DockerHub Login
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.dockerhub_token }}
+
+      - name: Release Preview
+        if: >
+          !failure() && !cancelled()
+          && !contains(github.ref, '-draft')
+
+        env:
+          acct: ${{github.actor}}
+          ghcr_repo: ${{github.repository}}
+          docker_repo: ${{inputs.docker_repo}}
+          registry: ${{matrix.bake_target}}
+          cargo_profile: ${{matrix.cargo_profile}}
+          feat_set: ${{matrix.feat_set}}
+          sys_target: ${{matrix.sys_target}}
+          ref_name: ${{github.ref_name}}
+
+        run: |
+          registry="$(echo -n $registry | sed s/_/./)"
+          if test "$registry" = "ghcr.io"; then
+            repo="$ghcr_repo"
+          else
+            repo="$docker_repo"
+          fi
+
+          docker manifest create "${registry}/${repo}:preview" \
+            --amend "${registry}/${repo}:${ref_name}-${cargo_profile}-${feat_set}-${sys_target}"
+
+      - name: Release Latest
+        if: >
+          !failure() && !cancelled()
+          && !contains(github.ref, '-draft')
+          && !contains(github.ref, '-rc')
+
+        env:
+          acct: ${{github.actor}}
+          ghcr_repo: ${{github.repository}}
+          docker_repo: ${{inputs.docker_repo}}
+          registry: ${{matrix.bake_target}}
+          cargo_profile: ${{matrix.cargo_profile}}
+          feat_set: ${{matrix.feat_set}}
+          sys_target: ${{matrix.sys_target}}
+          ref_name: ${{github.ref_name}}
+
+        run: |
+          registry="$(echo -n $registry | sed s/_/./)"
+          if test "$registry" = "ghcr.io"; then
+            repo="$ghcr_repo"
+          else
+            repo="$docker_repo"
+          fi
+
+          docker manifest create "${registry}/${repo}:latest" \
+            --amend "${registry}/${repo}:${ref_name}-${cargo_profile}-${feat_set}-${sys_target}"
+
+  delivery:
+    if: >
+      !failure() && !cancelled()
+      && inputs.machines
+      && inputs.docker_repo != ''
+      && contains(github.ref, 'refs/tags/v')
+
+    name: Delivery
+    needs: [bundles, documents]
+    runs-on: 'het'
+    permissions: write-all
+    steps:
+      - name: GitHub Login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.ghcr_token }}
+
+      - name: DockerHub Login
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.dockerhub_token }}
+
+      - name: Push Preview
+        if: >
+          !failure() && !cancelled()
+          && !contains(github.ref, '-draft')
+
+        env:
+          ghcr_repo: ${{github.repository}}
+          docker_repo: ${{inputs.docker_repo}}
+
+        run: |
+          docker manifest push -p "ghcr.io/${ghcr_repo}:preview"
+          docker manifest push -p "docker.io/${docker_repo}:preview"
+
+      - name: Push Latest
+        if: >
+          !failure() && !cancelled()
+          && !contains(github.ref, '-draft')
+          && !contains(github.ref, '-rc')
+
+        env:
+          ghcr_repo: ${{github.repository}}
+          docker_repo: ${{inputs.docker_repo}}
+
+        run: |
+          docker manifest push -p "ghcr.io/${ghcr_repo}:latest"
+          docker manifest push -p "docker.io/${docker_repo}:latest"
diff --git a/docker/bake.hcl b/docker/bake.hcl
index 4ef9e6cd..899d45eb 100644
--- a/docker/bake.hcl
+++ b/docker/bake.hcl
@@ -16,11 +16,8 @@ variable "repo" {
 variable "docker_repo" {
     default = "${repo}"
 }
-variable "docker_tag_preview" {
-	default = false
-}
-variable "docker_tag_latest" {
-	default = false
+variable "docker_targets" {
+	default = "[\"local\"]"
 }
 
 variable "git_ref" {
@@ -279,28 +276,24 @@ group "publish" {
     ]
 }
 
-target "github" {
+target "ghcr_io" {
     name = elem("github", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
     tags = [
         "ghcr.io/${repo}:${git_ref_name}-${cargo_profile}-${feat_set}-${sys_target}",
-        docker_tag_preview? "ghcr.io/${repo}:preview": "",
-        docker_tag_latest? "ghcr.io/${repo}:latest": "",
     ]
-    output = ["type=registry,compression=zstd,mode=min,compression-level=${zstd_image_compress_level}"]
+    output = ["type=registry,compression=gzip,mode=min,compression-level=${gz_image_compress_level}"]
     matrix = cargo_rust_feat_sys
     inherits = [
         elem("docker", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
     ]
 }
 
-target "dockerhub" {
+target "docker_io" {
     name = elem("dockerhub", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
     tags = [
-        "${docker_repo}:${git_ref_name}-${cargo_profile}-${feat_set}-${sys_target}",
-        docker_tag_preview? "${docker_repo}:preview": "",
-        docker_tag_latest? "${docker_repo}:latest": "",
+        "docker.io/${docker_repo}:${git_ref_name}-${cargo_profile}-${feat_set}-${sys_target}",
     ]
-    output = ["type=registry,compression=zstd,mode=min,compression-level=${zstd_image_compress_level}"]
+    output = ["type=registry,compression=gzip,mode=min,compression-level=${gz_image_compress_level}"]
     matrix = cargo_rust_feat_sys
     inherits = [
         elem("docker", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
@@ -534,7 +527,7 @@ group "installs" {
 
 install_labels = {
     "org.opencontainers.image.authors" = "${package_authors}"
-    "org.opencontainers.image.created" ="${package_last_modified}"
+    "org.opencontainers.image.created" = "${package_last_modified}"
     "org.opencontainers.image.description" = "Matrix Chat Server in Rust"
     "org.opencontainers.image.documentation" = "https://github.com/matrix-construct/tuwunel/tree/main/docs/"
     "org.opencontainers.image.licenses" = "Apache-2.0"
@@ -546,6 +539,20 @@ install_labels = {
     "org.opencontainers.image.version" = "${package_version}"
 }
 
+install_annotations = [
+    "org.opencontainers.image.authors=${package_authors}",
+    "org.opencontainers.image.created=${package_last_modified}",
+    "org.opencontainers.image.description=Matrix Chat Server in Rust",
+    "org.opencontainers.image.documentation=https://github.com/matrix-construct/tuwunel/tree/main/docs/",
+    "org.opencontainers.image.licenses=Apache-2.0",
+    "org.opencontainers.image.revision=${package_revision}",
+    "org.opencontainers.image.source=https://github.com/matrix-construct/tuwunel",
+    "org.opencontainers.image.title=${package_name}",
+    "org.opencontainers.image.url=https://github.com/matrix-construct/tuwunel",
+    "org.opencontainers.image.vendor=matrix-construct",
+    "org.opencontainers.image.version=${package_version}",
+]
+
 target "oci" {
     name = elem("oci", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
     tags = [
@@ -580,8 +587,7 @@ target "docker" {
         )
     }
     dockerfile-inline =<<EOF
-        FROM scratch AS install
-        COPY --from=input . .
+        FROM input AS install
         EXPOSE 8008 8448
         ENTRYPOINT ["tuwunel"]
 EOF
@@ -643,7 +649,8 @@ target "install" {
         elem_tag("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
     ]
     labels = install_labels
-    output = ["type=docker,compression=zstd,mode=min,compression-level=${zstd_image_compress_level}"]
+    annotations = install_annotations
+    output = ["type=docker,compression=uncompressed,mode=max"]
     cache_to = ["type=local,compression=zstd,mode=max,compression-level=${cache_compress_level}"]
     dockerfile = "${docker_dir}/Dockerfile.install"
     target = "install"
@@ -1713,6 +1720,7 @@ target "system" {
     cache_to = ["type=local,compression=zstd,mode=max,compression-level=${cache_compress_level}"]
     cache_from = ["type=local"]
     dockerfile = "${docker_dir}/Dockerfile.system"
+    platforms = jsondecode(docker_targets)
     matrix = sys
     context = "."
     args = {
diff --git a/docker/bake.sh b/docker/bake.sh
index 1d58fbb9..7e607c5d 100755
--- a/docker/bake.sh
+++ b/docker/bake.sh
@@ -16,6 +16,7 @@ default_rust_targets='["x86_64-unknown-linux-gnu"]'
 default_sys_names='["debian"]'
 default_sys_targets='["x86_64-linux-gnu"]'
 default_sys_versions='["testing-slim"]'
+default_docker_targets='["local"]'
 
 if test ! -z "$cargo_profile"; then
     env_cargo_profiles="[\"${cargo_profile}\"]"
@@ -45,6 +46,10 @@ if test ! -z "$sys_version"; then
     env_sys_versions="[\"${sys_version}\"]"
 fi
 
+if test ! -z "$docker_target"; then
+    env_docker_targets="[\"${docker_target}\"]"
+fi
+
 set -a
 bake_target="${bake_target:-$@}"
 cargo_profiles="${env_cargo_profiles:-$default_cargo_profiles}"
@@ -54,6 +59,7 @@ rust_toolchains="${env_rust_toolchains:-$default_rust_toolchains}"
 sys_names="${env_sys_names:-$default_sys_names}"
 sys_targets="${env_sys_targets:-$default_sys_targets}"
 sys_versions="${env_sys_versions:-$default_sys_versions}"
+docker_targets="${env_docker_targets:-$default_docker_targets}"
 
 docker_dir="$PWD/$BASEDIR"
 builder_name="${GITHUB_ACTOR:-owo}"
@@ -83,6 +89,7 @@ if test "$CI" = "true"; then
 fi
 
 args=""
+args="$args --provenance=false"
 args="$args --builder ${builder_name}"
 #args="$args --set *.platform=${sys_platform}"