diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index afb3b12..9bf288d 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -16,7 +16,41 @@ env:
   IMAGE_NAME: phundrak/phundrak-dot-com-backend
 
 jobs:
-  build-and-publish:
+  coverage-and-sonar:
+    runs-on: ubuntu-latest
+    permissions:
+      content: read
+      pull-requests: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Setup Cachix
+        uses: cachix/cachix-action@v15
+        with:
+          name: '${{ env.CACHIX_NAME }}'
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          skipPush: ${{ github.event_name == 'pull_request' }}
+
+      - name: Coverage
+        run: |
+            nix develop --no-pure-eval --accept-flake-config --command just coverage
+
+      - name: Sonar analysis
+        uses: SonarSource/sonarqube-scan-action@v6
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+
+  build-docker:
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -39,25 +73,36 @@ jobs:
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
           skipPush: ${{ github.event_name == 'pull_request' }}
 
-      - name: Coverage
-        run: |
-            nix develop --no-pure-eval --command just coverage
-
-      - name: Sonar analysis
-        uses: SonarSource/sonarqube-scan-action@v6
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
       - name: Build Docker image with Nix
         run: |
           echo "Building Docker image..."
           nix build .#backendDockerLatest --accept-flake-config
+          cp -L result docker-image.tar.gz
+
+      - name: Upload Docker image artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: docker-image
+          path: docker-image.tar.gz
+          retention-days: 1
+
+  push-docker:
+    needs: [coverage-and-sonar, build-docker]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write  # Required for pushing to Phundrak Labs registry
+
+    steps:
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: docker-image
 
       - name: Load Docker image
         run: |
           echo "Loading Docker image into Docker daemon..."
-          docker load < result
+          docker load < docker-image.tar.gz
 
       - name: Log in to Docker Registry
         run: |
@@ -127,6 +172,11 @@ jobs:
         if: always()
         run: docker logout ${{ env.DOCKER_REGISTRY }}
 
+      - name: Delete Docker image artifact
+        uses: geekyeggo/delete-artifact@v2
+        with:
+          name: docker-image
+
       - name: Image published successfully
         run: |
           echo "✅ Docker image(s) published successfully to ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}"