diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index bf5cf02..b858cff 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -3,6 +3,11 @@ name: Build container image
 on:
   workflow_call:
   workflow_dispatch:
+    inputs:
+      penumbra_version:
+        description: 'Git ref (e.g. branch or tag) of Penumbra repo for building'
+        default: "main"
+        required: true
   push:
     branches:
       - main
@@ -45,7 +50,11 @@ jobs:
           platforms: linux/amd64
           file: Containerfile
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
+          # We include a tag with the associated Penumbra, e.g. `penumbra-v0.57.0`.
+          # This is important to maintain compatibility with a long-running testnet.
+          tags: ${{ steps.meta.outputs.tags }},penumbra-${{ github.event.inputs.penumbra_version || 'main' }}
+          build-args: |
+            PENUMBRA_VERSION=${{ github.event.inputs.penumbra_version || 'main' }}
           # We disable layer caching to ensure that the most recent penumbra repo is used.
           # Otherwise, the static git url for the repo will always result in a cache hit.
           # TODO: update with dynamic build-args using e.g. current date to bust cache.
diff --git a/Containerfile b/Containerfile
index d46d740..6d73a5c 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,22 +1,26 @@
+ARG PENUMBRA_VERSION=main
+# ARG PENUMBRA_VERSION=v0.54.1
 # Pull from Penumbra container, so we can grab a recent `pcli` without
 # needing to compile from source.
-FROM ghcr.io/penumbra-zone/penumbra:main AS penumbra
-FROM docker.io/rust:1-bullseye AS builder
+FROM ghcr.io/penumbra-zone/penumbra:${PENUMBRA_VERSION} AS penumbra
 
+# Build the osiris binary
+FROM docker.io/rust:1-bullseye AS builder
+ARG PENUMBRA_VERSION=main
 RUN apt-get update && apt-get install -y \
         libssl-dev git-lfs clang
-# Shallow clone since we only want most recent HEAD; this should change
-# if/when we want to support specific refs, such as release tags, for Penumbra deps.
-RUN git clone --depth=1 https://github.com/penumbra-zone/penumbra /app/penumbra
-COPY . /app/osiris
-WORKDIR /app/osiris
+# Clone in Penumbra deps to relative path, required due to git-lfs.
+RUN git clone --depth 1 --branch "${PENUMBRA_VERSION}" https://github.com/penumbra-zone/penumbra /usr/src/penumbra
+COPY . /usr/src/osiris
+WORKDIR /usr/src/osiris
 RUN cargo build --release
 
+# Runtime container, copying in built artifacts
 FROM docker.io/debian:bullseye-slim
 RUN apt-get update && apt-get install -y ca-certificates
 RUN groupadd --gid 1000 penumbra \
         && useradd -m -d /home/penumbra -g 1000 -u 1000 penumbra
-COPY --from=builder /app/osiris/target/release/osiris /usr/bin/osiris
 COPY --from=penumbra /bin/pcli /usr/bin/pcli
+COPY --from=builder /usr/src/osiris/target/release/osiris /usr/bin/osiris
 WORKDIR /home/penumbra
 USER penumbra