diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 50071ee46..f13fac073 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -3,14 +3,113 @@ name: Docker
 
 on:
   workflow_dispatch:
+    inputs:
+      ref:
+        description: "The git ref to build from (branch, tag, or commit SHA)."
+        type: string
+        required: true
+        default: main
+  release:
+    types: [published]
 
 defaults:
   run:
     shell: bash
 
 jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - runs-on: ubuntu-latest
+            arch: amd64
+          - runs-on: ubuntu-24.04-arm
+            arch: arm64
+    runs-on: ${{ matrix.runs-on }}
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}
+
+      - name: Install build dependencies
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends libudev-dev libdbus-1-dev
+
+      - name: Build binary
+        run: cargo build --package stellar-cli --release
+
+      - name: Upload binary
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: stellar-${{ matrix.arch }}
+          path: target/release/stellar
+          retention-days: 1
+
   docker:
+    needs: build
     runs-on: ubuntu-latest
-    permissions: {}
+    permissions:
+      contents: read
     steps:
-      - run: echo "Building and pushing Docker image..."
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}
+          fetch-depth: 0
+
+      - name: Download binaries
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          pattern: stellar-*
+          merge-multiple: false
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Compute Docker tags from the ref.
+      # - Version tag (e.g. v1.2.3): push versioned + latest tags.
+      # - Any other ref: push a tag for the resolved commit SHA.
+      - name: Compute tags
+        run: |
+          ref="${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref_name }}"
+
+          if [[ "$ref" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            version="${ref#v}"
+            echo "DOCKER_TAGS=stellar/stellar-cli:${version},stellar/stellar-cli:latest" >> $GITHUB_ENV
+          elif [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "::error::Release tag '${ref}' is not a valid version tag (expected vX.Y.Z)."
+            exit 1
+          else
+            commit="$(git rev-parse HEAD)"
+            echo "DOCKER_TAGS=stellar/stellar-cli:${commit}" >> $GITHUB_ENV
+          fi
+
+      - name: Build and push
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.DOCKER_TAGS }}
+
+      - name: Update Docker Hub description
+        run: |
+          TOKEN=$(curl -s -X POST "https://hub.docker.com/v2/users/login/" \
+            -H "Content-Type: application/json" \
+            -d '{"username":"${{ secrets.DOCKERHUB_USERNAME }}","password":"${{ secrets.DOCKERHUB_TOKEN }}"}' \
+            | jq -r .token)
+
+          jq -n --arg desc "$(cat ./docker/README.md)" '{"full_description": $desc}' | \
+            curl -s -X PATCH "https://hub.docker.com/v2/repositories/stellar/stellar-cli/" \
+              -H "Content-Type: application/json" \
+              -H "Authorization: Bearer ${TOKEN}" \
+              -d @-
diff --git a/Dockerfile b/Dockerfile
index 83552048e..69b87048e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,3 @@
-FROM rust:latest AS builder
-
-ARG STELLAR_CLI_REF=main
-
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends libdbus-1-dev libudev-dev pkg-config git && \
-    rm -rf /var/lib/apt/lists/*
-
-RUN git clone https://github.com/stellar/stellar-cli.git /tmp/stellar-cli && \
-    cd /tmp/stellar-cli && \
-    git fetch origin "${STELLAR_CLI_REF}" && \
-    git checkout "${STELLAR_CLI_REF}" && \
-    cargo install --locked --path cmd/stellar-cli && \
-    rm -rf /tmp/stellar-cli
-
 FROM rust:latest
 
 RUN rustup target add wasm32v1-none
@@ -21,13 +6,15 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends dbus gnome-keyring libdbus-1-3 libudev1 libssl3 && \
     rm -rf /var/lib/apt/lists/*
 
-COPY --from=builder /usr/local/cargo/bin/stellar /usr/local/bin/stellar
+ARG TARGETARCH
+COPY stellar-${TARGETARCH}/stellar /usr/local/bin/stellar
 
 ENV STELLAR_CONFIG_HOME=/config
 ENV STELLAR_DATA_HOME=/data
 
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
-RUN chmod +x /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh && \
+    chmod +x /usr/local/bin/stellar
 
 WORKDIR /source
 
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 000000000..2e47cbabe
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,53 @@
+# Stellar CLI
+
+Command-line interface for building and deploying smart contracts on the [Stellar](https://stellar.org) network.
+
+For full documentation, visit [https://developers.stellar.org](https://developers.stellar.org).
+
+## Quick Start
+
+```sh
+docker run --rm -it -v "$(pwd)":/source stellar/stellar-cli version
+```
+
+## Usage
+
+The container expects your project files to be mounted at `/source` (the default working directory). Any `stellar` subcommand can be passed directly:
+
+```sh
+# Build a contract
+docker run --rm -it -v "$(pwd)":/source stellar/stellar-cli contract build
+
+# Deploy a contract
+docker run --rm -it \
+  -v "$(pwd)":/source \
+  -e STELLAR_RPC_URL=https://soroban-testnet.stellar.org:443 \
+  -e STELLAR_NETWORK_PASSPHRASE="Test SDF Network ; September 2015" \
+  stellar/stellar-cli contract deploy --wasm target/wasm32v1-none/release/my_contract.wasm --source <key>
+```
+
+### Persisting Configuration
+
+Configuration and data are stored inside the container by default and lost when it exits. Mount volumes to keep them across runs:
+
+```sh
+docker run --rm -it \
+  -v "$(pwd)":/source \
+  -v stellar-config:/config \
+  -v stellar-data:/data \
+  stellar/stellar-cli contract build
+```
+
+## Container Paths
+
+| Path | Description |
+| --- | --- |
+| `/source` | Working directory where project files should be mounted. |
+| `/config` | CLI configuration directory (`STELLAR_CONFIG_HOME`). Mount a volume to persist networks and keys across runs. |
+| `/data` | CLI data directory (`STELLAR_DATA_HOME`). Mount a volume to persist cached contract specs and data. |
+
+## Image Tags
+
+- `latest` — most recent release.
+- `X.Y.Z` — specific release version (e.g. `22.6.0`).
+- `<commit-sha>` — build from a specific commit.