diff --git a/.github/workflows/push_stable_image.yaml b/.github/workflows/push_stable_image.yaml
new file mode 100644
index 0000000..6d36a18
--- /dev/null
+++ b/.github/workflows/push_stable_image.yaml
@@ -0,0 +1,69 @@
+name: Build and push the stable image
+
+# triggered by publishing a release
+on:
+  release:
+    types: [published]
+
+## GITHUB_TOKEN authentication
+permissions:
+  contents: write
+
+jobs:
+    buildandpush:
+        runs-on: ubuntu-latest
+        # we only want to run this on stable releases
+        if: github.event.release.prerelease == false
+        steps:
+            # https://github.com/CycodeLabs/cimon-action
+            - name: Cimon supply chain attack protection
+              uses: cycodelabs/cimon-action@v0
+              with:
+                client-id: ${{ secrets.CIMON_CLIENT_ID }}
+                secret: ${{ secrets.CIMON_SECRET }}
+                prevent: true
+                allowed-hosts: >
+                  codeload.github.com
+                  dl-cdn.alpinelinux.org
+                  docker.io
+                  ghcr.io
+                  index.docker.io
+                  nginx.org
+                  packagist.org
+                  pkg-containers.githubusercontent.com
+                  production.cloudflare.docker.com
+                  registry.yarnpkg.com
+                  repo.yarnpkg.com
+
+            - name: Checkout elabimg repo
+              uses: actions/checkout@v3
+
+            # https://github.com/marketplace/actions/docker-setup-buildx
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+
+            # https://github.com/docker/setup-qemu-action#usage
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v2
+
+            # https://github.com/docker/login-action#docker-hub
+            - name: Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+            # https://github.com/docker/build-push-action#multi-platform-image
+            # https://docs.docker.com/build/ci/github-actions/cache/
+            - name: Build latest release for all platforms and push to Docker Hub
+              uses: docker/build-push-action@v4
+              with:
+                context: .
+                platforms: linux/arm64,linux/amd64
+                push: true
+                cache-from: type=gha
+                cache-to: type=gha,mode=max
+                build-args: |
+                    ELABFTW_VERSION=${{ github.ref_name }}
+                tags: |
+                    elabftw/elabimg:stable
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e361b8..0a321d4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Container image version
 # Note: the version here is from `ELABIMG_VERSION` present in Dockerfile, not the tagged one
 
+# 4.7.0
+
+* Add a GH Action to push a `stable` image tag (https://github.com/elabftw/elabftw/discussions/4779)
+
 # 4.6.2
 
 * Redirect all php-fpm error log to stderr