diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 99eb2d8..ea5d0ef 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,37 +11,58 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: write # Upload artefacts to release.
-  id-token: write # required by read-vault-secrets.
-
 jobs:
-  publish-public:
+  publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # write is needed for:
+      # - OIDC for cosign's use in ecm-distro-tools/publish-image.
+      # - Read vault secrets in rancher-eio/read-vault-secrets.
+      id-token: write
+    
+    strategy:
+      matrix:
+        include:
+          # Four images are created:
+          # - Multi-arch manifest for amd64, arm64 and s390x
+          - tag-suffix: ""
+            platforms: linux/amd64,linux/arm64,linux/s390x
+          # - arm64 manifest
+          - tag-suffix: "-arm64"
+            platforms: linux/arm64
+          # - amd64 manifest
+          - tag-suffix: "-amd64"
+            platforms: linux/amd64
+          # - s390x manifest
+          - tag-suffix: "-s390x"
+            platforms: linux/s390x
+    
     steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
     - name: Load Secrets from Vault
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
           secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
-          secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
-    - name: Login to Docker Hub
-      uses: docker/login-action@v3
-      with:
-        username: ${{ env.DOCKER_USERNAME }}
-        password: ${{ env.DOCKER_PASSWORD }}
-    - name: Setup QEMU
-      uses: docker/setup-qemu-action@v3
-    - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
-    - name: Checkout code
-      uses: actions/checkout@v4
+          secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
     - name: Build and push all image variations
-      run: |
-        make image-push
-        TAG="${TAG}-amd64" TARGET_PLATFORMS=linux/amd64 make image-push
-        TAG="${TAG}-arm64" TARGET_PLATFORMS=linux/arm64 make image-push
-        TAG="${TAG}-s390x" TARGET_PLATFORMS=linux/s390x make image-push
-      env:
-        TAG: ${{ github.ref == 'refs/heads/main' && 'head' || github.ref_name }}
-        REPO: ${{ vars.PUBLIC_REGISTRY }}/${{ vars.PUBLIC_REGISTRY_REPO }}
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      with:
+        image: shell
+        tag: ${{ github.ref == 'refs/heads/main' && 'head' || github.ref_name }}${{ matrix.tag-suffix }}
+        platforms: ${{ matrix.platforms }}
+
+        public-registry: docker.io
+        public-repo: rancher
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-repo: rancher
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
diff --git a/Makefile b/Makefile
index caa0ea9..cfafdbb 100644
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,7 @@ clean: ## clean up project.
 	rm -rf build
 
 test: test-build ## test the build against all target platforms.
-	$(MAKE) image-build
+	$(MAKE) build-image
 	IMAGE=$(IMAGE) \
 	KUBECTL_VERSION=$(KUBECTL_VERSION) HELM_VERSION=$(HELM_VERSION) \
 	KUSTOMIZE_VERSION=$(KUSTOMIZE_VERSION) K9S_VERSION=$(K9S_VERSION) \
@@ -28,15 +28,15 @@ test: test-build ## test the build against all target platforms.
 test-build:
 	# Instead of loading image, target all platforms, effectivelly testing
 	# the build for the target architectures.
-	$(MAKE) image-build BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
+	$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
 
-image-build: buildx-machine ## build (and load) the container image targeting the current platform.
+build-image: buildx-machine ## build (and load) the container image targeting the current platform.
 	$(IMAGE_BUILDER) build -f package/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) \
 		--build-arg VERSION=$(VERSION) -t "$(IMAGE)" $(BUILD_ACTION) .
 	@echo "Built $(IMAGE)"
 
-image-push: buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
+push-image: buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
 	$(IMAGE_BUILDER) build -f package/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
 		--build-arg VERSION=$(VERSION) --platform=$(TARGET_PLATFORMS) -t "$(IMAGE)" --push .
diff --git a/hack/make/build.mk b/hack/make/build.mk
index 4bd61d4..5e3aa51 100644
--- a/hack/make/build.mk
+++ b/hack/make/build.mk
@@ -31,6 +31,7 @@ endif
 RUNNER := docker
 IMAGE_BUILDER := $(RUNNER) buildx
 MACHINE := rancher
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
 
 ifeq ($(TAG),)
 	TAG = $(VERSION)