diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index e518ba4..07d12bf 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -17,6 +17,9 @@ jobs:
       contents: read
 
     steps:
+      - name: Checkout the code
+        uses: actions/checkout@v2
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v3
@@ -25,12 +28,28 @@ jobs:
           bake-target: docker-metadata-action
           tags: |
             type=ref,event=branch
-            type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
             type=sha
 
+      - name: Docker meta (debug variant)
+        id: meta-debug
+        uses: docker/metadata-action@v3
+        with:
+          images: "${{ env.IMAGE }}"
+          bake-target: docker-metadata-action-debug
+          tags: |
+            type=ref,event=branch,suffix=-debug
+            type=semver,pattern={{version}},suffix=-debug
+            type=semver,pattern={{major}}.{{minor}},suffix=-debug
+            type=semver,pattern={{major}},suffix=-debug
+            type=sha,suffix=-debug
+
+      - name: Merge buildx bake files
+        run: |
+            jq -s '.[0] * .[1]' ${{ steps.meta.outputs.bake-file }} ${{ steps.meta-debug.outputs.bake-file }} > docker-bake.override.json
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
         with:
@@ -46,28 +65,20 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # For pull-requests, only read from the cache, do not try to push to the
+      # cache or the image itself
       - name: Build
-        uses: docker/build-push-action@v2
+        uses: docker/bake-action@v1
         if: github.event_name == 'pull_request'
         with:
-          platforms: |
-            linux/amd64
-            linux/arm64
-            linux/arm
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
+          set: |
+            base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
 
       - name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/bake-action@v1
         if: github.event_name != 'pull_request'
         with:
-          platforms: |
-            linux/amd64
-            linux/arm64
-            linux/arm
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          push: true
-          cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
-          cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
+          set: |
+            base.output=type=image,push=true
+            base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
+            base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
diff --git a/Dockerfile b/Dockerfile
index ea66fa6..6c9966e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,8 +2,8 @@ ARG GO_VERSION=1.17
 ARG DEBIAN_VERSION=11
 ARG DEBIAN_VERSION_NAME=bullseye
 
-# Build stage
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:${GO_VERSION}-${DEBIAN_VERSION_NAME} as builder
+## Build stage ##
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:${GO_VERSION}-${DEBIAN_VERSION_NAME} AS builder
 
 WORKDIR /build
 COPY go.mod go.sum ./
@@ -12,9 +12,14 @@ RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o rageshake
 
-# Runtime stage
-FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot
+## Runtime stage, debug variant ##
+FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:debug-nonroot AS debug
+COPY --from=builder /build/rageshake /rageshake
+EXPOSE 9110
+ENTRYPOINT ["/rageshake"]
+
+## Runtime stage ##
+FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot
 COPY --from=builder /build/rageshake /rageshake
-WORKDIR /
 EXPOSE 9110
 ENTRYPOINT ["/rageshake"]
diff --git a/docker-bake.hcl b/docker-bake.hcl
new file mode 100644
index 0000000..97acacd
--- /dev/null
+++ b/docker-bake.hcl
@@ -0,0 +1,25 @@
+// This is what is baked by GitHub Actions
+group "default" { targets = ["regular", "debug"] }
+
+// Targets filled by GitHub Actions: one for the regular tag, one for the debug tag
+target "docker-metadata-action" {}
+target "docker-metadata-action-debug" {}
+
+// This sets the platforms and is further extended by GitHub Actions to set the
+// output and the cache locations
+target "base" {
+  platforms = [
+    "linux/amd64",
+    "linux/arm64",
+    "linux/arm",
+  ]
+}
+
+target "regular" {
+  inherits = ["base", "docker-metadata-action"]
+}
+
+target "debug" {
+  inherits = ["base", "docker-metadata-action-debug"]
+  target = "debug"
+}