diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
index 673d4ee..2365211 100644
--- a/.github/workflows/docker_publish.yml
+++ b/.github/workflows/docker_publish.yml
@@ -71,11 +71,13 @@ jobs:
       - name: Get Docker Metadata
         id: meta
         uses: docker/metadata-action@v5
+        env:
+          DOCKER_METADATA_PR_HEAD_SHA: true
         with:
           images: ${{ env.NAMESPACED_REGISTRY }}/${{ matrix.changed_dir }}
           tags: |
             type=semver,pattern={{version}},value=v${{ steps.calculate_version.outputs.version }}
-            type=sha
+            type=sha,prefix=
       - name: Build and Push Docker image
         id: push
         uses: docker/build-push-action@v6
@@ -84,22 +86,18 @@ jobs:
           file: ${{ github.workspace }}/${{ matrix.changed_dir }}/Dockerfile
           push: true
           tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: ${{ steps.extract_from_config_yaml.outputs.platforms }}
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v1
-        with:
-          subject-name: ${{ env.NAMESPACED_REGISTRY }}/${{ matrix.changed_dir }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
       - name: Create Git Tag
-        if: ${{ github.event_name != 'pull_request' }}
         uses: mathieudutour/github-tag-action@v6.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           default_bump: false
           default_prerelease_bump: false
           custom_tag: ${{ matrix.changed_dir }}/v${{ steps.calculate_version.outputs.version }}
+          dry_run: ${{ github.event_name == 'pull_request' }}
+          tag_prefix: ""
       - name: Create GitHub Release
         if: ${{ github.event_name != 'pull_request' }}
         uses: comnoco/create-release-action@v2.0.5
diff --git a/binary-builder-glibc/Dockerfile b/binary-builder-glibc/Dockerfile
index 2d8c10e..3a4f743 100644
--- a/binary-builder-glibc/Dockerfile
+++ b/binary-builder-glibc/Dockerfile
@@ -3,6 +3,11 @@
 # contents of the container without us realising.
 FROM rockylinux@sha256:9794037624aaa6212aeada1d28861ef5e0a935adaf93e4ef79837119f2a2d04c
 
+LABEL org.opencontainers.image.title="binary-builder-glibc"
+LABEL org.opencontainers.image.description="Builder image for Rust binaries that must be built with glibc 2.28"
+LABEL org.opencontainers.image.vendor="Apollo GraphQL"
+LABEL org.opencontainers.image.licenses="MIT"
+
 ARG RUST_VERSION=1.80.1
 ARG NODE_VERSION=20.15.1
 
diff --git a/binary-builder-musl/Dockerfile b/binary-builder-musl/Dockerfile
index 18576c7..5106d6e 100644
--- a/binary-builder-musl/Dockerfile
+++ b/binary-builder-musl/Dockerfile
@@ -3,6 +3,11 @@
 # contents of the container without us realising.
 FROM rust@sha256:b3ac1f65cf33390407c9b90558eb41e7a8311c47d836fca5800960f1aa2d11d5
 
+LABEL org.opencontainers.image.title="binary-builder-musl"
+LABEL org.opencontainers.image.description="Builder image for Rust binaries that must be built with musl"
+LABEL org.opencontainers.image.vendor="Apollo GraphQL"
+LABEL org.opencontainers.image.licenses="MIT"
+
 # Update packages and package manager to keep us current
 RUN apk update && apk upgrade