diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
new file mode 100644
index 000000000..e359ea740
--- /dev/null
+++ b/.github/workflows/docker_publish.yml
@@ -0,0 +1,100 @@
+name: "Docker publish"
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+      generic_tag:
+        required: true
+        type: string
+
+permissions:
+  packages: write
+  id-token: write # Required to authenticate with OIDC for AWS
+
+jobs:
+  deploy:
+    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        registry: [ 'docker.io', 'ghcr.io', 'ecr' ]
+
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Download docker image
+        uses: actions/download-artifact@v4
+        with:
+          name: image
+          path: /tmp
+
+      # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations
+      - name: Setup docker with containerd
+        uses: crazy-max/ghaction-setup-docker@v3
+        with:
+          daemon-config: |
+            {
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+
+      - name: Load docker image into daemon
+        run: |
+          docker load --input /tmp/image.tar
+
+      - name: Login to docker.io
+        if: matrix.registry == 'docker.io'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ matrix.registry }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to ghcr.io
+        if: matrix.registry == 'ghcr.io'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ matrix.registry }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure AWS credentials
+        if: matrix.registry == 'ecr'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1 # This region only for public ECR
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+
+      - name: Login to public ECR
+        if: matrix.registry == 'ecr'
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registry-type: public
+
+      - name: define env vars
+        run: |
+          if [ ${{matrix.registry }} == 'docker.io' ]; then
+            echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV
+            echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
+          elif [ ${{ matrix.registry }} == 'ghcr.io' ]; then
+            echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV
+            echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
+          elif [ ${{ matrix.registry }} == 'ecr' ]; then
+            echo "REGISTRY=${{ vars.ECR_REGISTRY }}" >> $GITHUB_ENV
+            echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
+          else
+            echo "REGISTRY=" >> $GITHUB_ENV
+            echo "REPOSITORY=notworking" >> $GITHUB_ENV
+          fi
+
+      - name: Push images to ${{ matrix.registry }}
+        run: |
+          docker tag kafka-ui:temp ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.generic_tag }}
+          docker tag kafka-ui:temp ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.version }}
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.generic_tag }}
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.version }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 27722a461..9e331153a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -9,7 +9,7 @@ permissions:
   contents: read
 
 jobs:
-  jar-build:
+  jar-jar-build:
     runs-on: ubuntu-latest
 
     permissions:
@@ -18,6 +18,9 @@ jobs:
     outputs:
       version: ${{steps.build.outputs.version}}
 
+    outputs:
+      version: ${{steps.build.outputs.version}}
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -40,6 +43,8 @@ jobs:
           export VERSION=$(./mvnw -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
 
+      - name: Upload jar
+        uses: actions/upload-artifact@v4
       - name: Upload jar
         uses: actions/upload-artifact@v4
         with:
@@ -57,6 +62,30 @@ jobs:
       sha: ${{ github.sha }}
       version: ${{ needs.jar-build.outputs.version }}
 
+  docker-deploy:
+    needs: [ jar-build, docker-build ]
+    permissions:
+      packages: write
+      id-token: write # Required to authenticate with OIDC for AWS
+    uses: ./.github/workflows/docker_publish.yml
+    secrets: inherit
+    with:
+      version: ${{ needs.jar-build.outputs.version }}
+      generic_tag: main
+          name: kafbat-ui-${{ steps.build.outputs.version }}
+          path: api/target/api-${{ steps.build.outputs.version }}.jar
+          retention-days: 1
+
+  docker-build:
+    needs: jar-build
+    permissions:
+      contents: read
+    uses: ./.github/workflows/docker_build.yml
+    secrets: inherit
+    with:
+      sha: ${{ github.sha }}
+      version: ${{ needs.jar-build.outputs.version }}
+
   docker-deploy:
     needs: [ jar-build, docker-build ]
     permissions: