diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index d4cd499..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,29 +0,0 @@
-FROM golang:1-alpine3.18 AS builder
-
-RUN apk -v --no-progress --no-cache add git
-
-WORKDIR /src
-
-COPY go.mod go.sum ./
-RUN go mod download
-
-COPY internal ./internal/
-COPY *.go ./
-RUN CGO_ENABLED=0 GOARCH=amd64 go build .
-
-
-FROM --platform=linux/amd64 debian:bookworm-slim
-
-RUN DEBIAN_FRONTEND=noninteractive apt-get update \
-  && DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade \
-  && DEBIAN_FRONTEND=noninteractive apt-get clean \
-  && ( find /var/lib/apt/lists -mindepth 1 -delete || true ) \
-  && ( find /var/tmp           -mindepth 1 -delete || true ) \
-  && ( find /tmp               -mindepth 1 -delete || true )
-
-COPY --from=builder \
-  /src/discourse-auth-proxy \
-  /usr/local/bin/discourse-auth-proxy
-COPY docker-entrypoint /usr/local/bin/docker-entrypoint
-
-ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
diff --git a/Makefile b/Makefile
deleted file mode 100644
index 5fe0de1..0000000
--- a/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-IMAGE := discourse/auth-proxy
-TAG := $(shell date -u +%Y%m%d.%H%M%S)
-
-.PHONY: default
-default: push
-	@printf "${IMAGE}:${TAG} ready\n"
-
-.PHONY: push
-push: build
-	docker push ${IMAGE}:${TAG}
-
-.PHONY: build
-build:
-	docker build --pull -t ${IMAGE}:${TAG} .
-
-.PHONY: release
-release:
-	docker tag ${IMAGE}:${TAG} ${IMAGE}:latest
-	docker push ${IMAGE}:latest
diff --git a/README.md b/README.md
index 9105e70..864c12e 100644
--- a/README.md
+++ b/README.md
@@ -55,16 +55,4 @@ docker run discourse/auth-proxy
 
 Running will display configuration instructions
 
-You may build an image using
-
-```
-make build
-```
-
-After building, you may publish it as a new release -- i.e. `latest` tag -- using
-
-```
-make release TAG=20220406.135620
-```
-
-(Replace with the actual built tag.)
+A new OCI image is automatically published to [Docker Hub](https://hub.docker.com/r/discourse/auth-proxy/tags) upon every push to branch `main` on GitHub.  The release procedure is documented in t/120578 for the benefit of CDCK staff.
diff --git a/dist/Dockerfile b/dist/Dockerfile
new file mode 100644
index 0000000..145e6f2
--- /dev/null
+++ b/dist/Dockerfile
@@ -0,0 +1,43 @@
+# syntax=docker/dockerfile:1
+
+ARG BASE_IMAGE_DEBIAN=debian:bookworm-slim
+ARG BASE_IMAGE_GO_ALPINE=golang:1-alpine
+
+
+FROM ${BASE_IMAGE_GO_ALPINE} AS builder
+
+ARG TARGETARCH
+ARG TARGETOS
+
+RUN apk -v --no-progress --no-cache add git
+
+WORKDIR /src
+
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/root/.cache/go-build \
+  go mod download
+
+COPY internal ./internal/
+COPY *.go ./
+RUN --mount=type=cache,target=/root/.cache/go-build \
+  CGO_ENABLED=0 \
+  GOARCH=${TARGETARCH} \
+  GOOS=${TARGETOS} \
+  go build .
+
+
+FROM ${BASE_IMAGE_DEBIAN}
+
+RUN <<EOF sh -exs
+DEBIAN_FRONTEND=noninteractive apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
+DEBIAN_FRONTEND=noninteractive apt-get clean
+( find /var/lib/apt/lists -mindepth 1 -delete || true )
+( find /var/tmp           -mindepth 1 -delete || true )
+( find /tmp               -mindepth 1 -delete || true )
+EOF
+
+COPY --from=builder /src/discourse-auth-proxy /usr/local/bin/discourse-auth-proxy
+COPY dist/docker-entrypoint /usr/local/bin/docker-entrypoint
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
diff --git a/dist/concourse/pipeline-branch.yaml b/dist/concourse/pipeline-branch.yaml
new file mode 100644
index 0000000..73d5170
--- /dev/null
+++ b/dist/concourse/pipeline-branch.yaml
@@ -0,0 +1,155 @@
+# SECURITY
+# This is a public repository.  Mind what you write.
+# Do not accept modifications from people outside CDCK.
+# Seek infra security review if unsure.
+
+---
+var_sources:
+- name: xacco
+  type: vault
+  config:
+    url: http://127.0.0.1:8200
+    path_prefix: /aws-xacc-obfuscate
+    client_token: unused-but-some-value-required
+
+resource_types:
+- name: metadata
+  type: registry-image
+  source:
+    repository:            practical-concourse/resource-types/metadata
+    aws_access_key_id:     ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_ACCESS_KEY_ID))
+    aws_secret_access_key: ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_SECRET_ACCESS_KEY))
+    aws_session_token:     ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_SESSION_TOKEN))
+    aws_region:            ((obfuscate-aws-docker-registry.region))
+
+resources:
+- name: metadata
+  type: metadata
+
+- name: discourse-auth-proxy
+  type: git
+  icon: github
+  source:
+    uri: git@github.com:discourse/discourse-auth-proxy.git
+    branch: ((branch))
+    private_key: ((github-discoursebuild))
+  webhook_token: unused-but-some-value-required
+
+- name: alpine
+  type: registry-image
+  icon: docker
+  check_every: 24h
+  source:
+    repository: alpine
+    tag: "3"
+    username: ((docker-hub.username))
+    password: ((docker-hub.password))
+
+- name: debian-oci
+  type: registry-image
+  icon: docker
+  check_every: 24h
+  source:
+    repository: debian
+    tag: "bookworm-slim"
+    username: ((docker-hub.username))
+    password: ((docker-hub.password))
+
+- name: go1-oci
+  type: registry-image
+  icon: docker
+  check_every: 168h
+  source:
+    repository: golang
+    tag: "1-alpine"
+    username: ((docker-hub.username))
+    password: ((docker-hub.password))
+
+- name: ecr
+  type: registry-image
+  icon: docker
+  source:
+    repository:            ((image_repository))
+    aws_access_key_id:     ((xacco:machine/concourse-ecr-push/docker-registry.AWS_ACCESS_KEY_ID))
+    aws_secret_access_key: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SECRET_ACCESS_KEY))
+    aws_session_token:     ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SESSION_TOKEN))
+    aws_region:            ((obfuscate-aws-docker-registry.region))
+
+jobs:
+- name: build
+  serial: true
+  plan:
+  - in_parallel:
+    - get: discourse-auth-proxy
+      trigger: true
+    - get: alpine
+    - get: debian-oci
+      params: {format: oci}
+    - get: go1-oci
+      params: {format: oci}
+    - put: metadata
+
+  # The pipeline will always push ((image_tag)).  This tag is mutable.
+  # So that older images are easier to retrieve,
+  # the pipeline will also push a tag whose value is assembled
+  # from the Concourse build ID and source revision ID.
+  # This latter tag is intended to be immutable.
+  - task: transform-tags
+    image: alpine
+    config:
+      platform: linux
+      inputs:
+      - name: metadata
+      - name: discourse-auth-proxy
+      outputs:
+      - name: tags
+      params:
+        BASE_TAG: ((image_tag))
+      run:
+        path: sh
+        args:
+        - -exc
+        - |
+          test -n "${BASE_TAG}"
+          BUILD_ID="$(head -n 1 metadata/build_id)"
+          test -n "${BUILD_ID}"
+          REVISION="$(head -n 1 discourse-auth-proxy/.git/short_ref)"
+          test -n "${REVISION}"
+          echo "${BASE_TAG}" >> tags/tags
+          echo "${BASE_TAG}-${BUILD_ID}-${REVISION}" >> tags/tags
+
+  - task: build
+    privileged: true
+    config:
+      platform: linux
+      image_resource:
+        type: registry-image
+        source:
+          repository: concourse/oci-build-task
+          username: ((docker-hub.username))
+          password: ((docker-hub.password))
+      inputs:
+      - name: discourse-auth-proxy
+      - name: debian-oci
+      - name: go1-oci
+      outputs:
+      - name: image
+      caches:
+      - path: cache
+      params:
+        CONTEXT:                        discourse-auth-proxy
+        DOCKERFILE:                     discourse-auth-proxy/dist/Dockerfile
+        IMAGE_ARG_BASE_IMAGE_DEBIAN:    debian-oci/image.tar
+        IMAGE_ARG_BASE_IMAGE_GO_ALPINE: go1-oci/image.tar
+        OUTPUT_OCI:                     true
+      run:
+        path: build
+
+  - put: ecr
+    inputs:
+    - image
+    - tags
+    params:
+      image: image/image
+      additional_tags: tags/tags
+    get_params: {skip_download: true}
diff --git a/dist/concourse/pipeline.yaml b/dist/concourse/pipeline.yaml
new file mode 100644
index 0000000..5468597
--- /dev/null
+++ b/dist/concourse/pipeline.yaml
@@ -0,0 +1,143 @@
+# SECURITY
+# This is a public repository.  Mind what you write.
+# Do not accept modifications from people outside CDCK.
+# Seek infra security review if unsure.
+
+---
+var_sources:
+- name: xacco
+  type: vault
+  config:
+    url: http://127.0.0.1:8200
+    path_prefix: /aws-xacc-obfuscate
+    client_token: unused-but-some-value-required
+
+resources:
+- name: discourse-auth-proxy
+  type: git
+  icon: github
+  source:
+    uri: git@github.com:discourse/discourse-auth-proxy.git
+    private_key: ((github-discoursebuild))
+  webhook_token: unused-but-some-value-required
+
+- name: alpine
+  type: registry-image
+  icon: docker
+  check_every: 24h
+  source:
+    repository: alpine
+    tag: "3"
+    username: ((docker-hub.username))
+    password: ((docker-hub.password))
+
+- name: debian-oci
+  type: registry-image
+  icon: docker
+  check_every: 24h
+  source:
+    repository: debian
+    tag: "bookworm-slim"
+    username: ((docker-hub.username))
+    password: ((docker-hub.password))
+
+- name: go1-oci
+  type: registry-image
+  icon: docker
+  check_every: 168h
+  source:
+    repository: golang
+    tag: "1-alpine"
+    username: ((docker-hub.username))
+    password: ((docker-hub.password))
+
+- name: docker-hub
+  type: registry-image
+  icon: docker
+  source:
+    repository: discourse/auth-proxy
+    username: ((docker-hub.username))
+    password: ((docker-hub.password))
+
+- name: ecr
+  type: registry-image
+  icon: docker
+  source:
+    repository:            auth-proxy
+    aws_access_key_id:     ((xacco:machine/concourse-ecr-push/docker-registry.AWS_ACCESS_KEY_ID))
+    aws_secret_access_key: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SECRET_ACCESS_KEY))
+    aws_session_token:     ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SESSION_TOKEN))
+    aws_region:            ((obfuscate-aws-docker-registry.region))
+
+jobs:
+- name: build
+  serial: true
+  plan:
+  - in_parallel:
+    - get: discourse-auth-proxy
+      trigger: true
+    - get: alpine
+    - get: debian-oci
+      params: {format: oci}
+    - get: go1-oci
+      trigger: true
+      params: {format: oci}
+
+  - task: generate-tags
+    image: alpine
+    config:
+      platform: linux
+      outputs:
+      - name: tags
+      run:
+        path: sh
+        args:
+        - -exc
+        - |
+          echo latest            >>tags/tags
+          date -u +%Y%m%d.%H%M%S >>tags/tags
+
+  - task: build
+    privileged: true
+    config:
+      platform: linux
+      image_resource:
+        type: registry-image
+        source:
+          repository: concourse/oci-build-task
+          username: ((docker-hub.username))
+          password: ((docker-hub.password))
+      inputs:
+      - name: discourse-auth-proxy
+      - name: debian-oci
+      - name: go1-oci
+      outputs:
+      - name: image
+      caches:
+      - path: cache
+      params:
+        CONTEXT:                        discourse-auth-proxy
+        DOCKERFILE:                     discourse-auth-proxy/dist/Dockerfile
+        IMAGE_ARG_BASE_IMAGE_DEBIAN:    debian-oci/image.tar
+        IMAGE_ARG_BASE_IMAGE_GO_ALPINE: go1-oci/image.tar
+        OUTPUT_OCI:                     true
+      run:
+        path: build
+
+  - in_parallel:
+    - put: docker-hub
+      inputs:
+      - image
+      - tags
+      params:
+        image: image/image
+        additional_tags: tags/tags
+      get_params: {skip_download: true}
+    - put: ecr
+      inputs:
+      - image
+      - tags
+      params:
+        image: image/image
+        additional_tags: tags/tags
+      get_params: {skip_download: true}
diff --git a/docker-entrypoint b/dist/docker-entrypoint
similarity index 100%
rename from docker-entrypoint
rename to dist/docker-entrypoint