diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 37f4c04c..a0e19934 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -20,43 +20,50 @@ jobs:
     permissions:
       contents: write # required for creating GH release
       id-token: write # required for reading vault secrets
+    strategy:
+      matrix:
+        include:
+          # Three images are created:
+          # - Multi-arch manifest for both amd64 and arm64
+          - tag-suffix: ""
+            platforms: linux/amd64,linux/arm64
+          # - arm64 manifest
+          - tag-suffix: "-arm64"
+            platforms: linux/arm64
+          # - amd64 manifest
+          - tag-suffix: "-amd64"
+            platforms: linux/amd64
     runs-on: ubuntu-latest
     steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ github.ref_name}}
     - name: Read secrets
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | PUBLIC_REGISTRY_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | PUBLIC_REGISTRY_PASSWORD ;
-    - name: Login to DockerHub
-      uses: docker/login-action@v3
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ;
+    - name: Publish images
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
       with:
-        registry: ${{ vars.PUBLIC_REGISTRY }}
-        username: ${{ env.PUBLIC_REGISTRY_USERNAME }}
-        password: ${{ env.PUBLIC_REGISTRY_PASSWORD }}
-    - name: Setup QEMU
-      uses: docker/setup-qemu-action@v3
-    - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
-    - name: Checkout code
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-        ref: ${{ github.ref_name}}
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-        check-latest: true
-    - name: Build and push all image variations
-      run: |
-        make operator
-        make image-push
-        TAG="${TAG}-amd64" TARGET_PLATFORMS=linux/amd64 make image-push
-        TAG="${TAG}-arm64" TARGET_PLATFORMS=linux/arm64 make image-push
-      env:
-        TAG: ${{ github.ref_name }}
-        REPO: ${{ vars.PUBLIC_REGISTRY }}/${{ vars.PUBLIC_REGISTRY_REPO }}
+        image: aks-operator
+        tag: ${{ github.ref_name }}${{ matrix.tag-suffix }}
+        platforms: ${{ matrix.platforms }}
+        public-registry: docker.io
+        public-repo: rancher
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-repo: rancher
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+        make-target: image-push
     - name: Create release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for creating GH release
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index 4de1c97e..4b60092d 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -17,13 +17,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-          check-latest: true
-      - name: Build operator
-        run: make operator
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3.2.0
diff --git a/Makefile b/Makefile
index c1415552..37972cbf 100644
--- a/Makefile
+++ b/Makefile
@@ -12,8 +12,14 @@ CRD_CHART?=$(shell find $(ROOT_DIR) -type f -name "rancher-aks-operator-crd*.tgz
 CHART_VERSION?=900 # Only used in e2e to avoid downgrades from rancher
 REPO?=docker.io/rancher/aks-operator
 IMAGE = $(REPO):$(TAG)
-TARGET_PLATFORMS := linux/amd64,linux/arm64
 MACHINE := rancher
+# Define the target platforms that can be used across the ecosystem.
+# Note that what would actually be used for a given project will be
+# defined in TARGET_PLATFORMS, and must be a subset of the below:
+DEFAULT_PLATFORMS := linux/amd64,linux/arm64,darwin/arm64,darwin/amd64
+TARGET_PLATFORMS := linux/amd64,linux/arm64
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
+
 CLUSTER_NAME?="aks-operator-e2e"
 E2E_CONF_FILE ?= $(ROOT_DIR)/test/e2e/config/config.yaml
 
@@ -125,9 +131,10 @@ charts:
 	$(MAKE) operator-chart
 	$(MAKE) crd-chart
 
-buildx-machine:
+.PHONY: buildx-machine
+buildx-machine: ## create rancher dockerbuildx machine targeting platform defined by DEFAULT_PLATFORMS
 	@docker buildx ls | grep $(MACHINE) || \
-		docker buildx create --name=$(MACHINE) --platform=$(TARGET_PLATFORMS)
+		docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)
 
 .PHONY: image-build
 image-build: buildx-machine ## build (and load) the container image targeting the current platform.
@@ -139,7 +146,7 @@ image-build: buildx-machine ## build (and load) the container image targeting th
 .PHONY: image-push
 image-push: buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
 	docker buildx build -f package/Dockerfile \
-    --builder $(MACHINE) --build-arg VERSION=$(TAG) \
+    --builder $(MACHINE) $(IID_FILE_FLAG) $(BUILDX_ARGS) --build-arg VERSION=$(TAG) \
     --platform=$(TARGET_PLATFORMS) -t "$(IMAGE)" --push .
 	@echo "Pushed $(IMAGE)"
 
diff --git a/package/Dockerfile b/package/Dockerfile
index cbcaea98..89cf3061 100644
--- a/package/Dockerfile
+++ b/package/Dockerfile
@@ -1,17 +1,37 @@
-FROM registry.suse.com/bci/bci-base:15.6 AS builder
+# Image that provides cross compilation tooling.
+FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.5.0 AS xx
+
+FROM registry.suse.com/bci/bci-base:15.6 AS base
 RUN sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd
 RUN useradd --uid 1007 aks-operator
 
+FROM --platform=$BUILDPLATFORM registry.suse.com/bci/golang:1.23 AS builder
+
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+
+COPY ./controller ./controller
+COPY ./pkg ./pkg
+COPY ./main.go ./main.go
+
+# Copy xx scripts to your build stage
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+ENV CGO_ENABLED=0
+RUN xx-go build -o /aks-operator && xx-verify /aks-operator
+
 FROM registry.suse.com/bci/bci-micro:15.6
-COPY --from=builder /etc/passwd /etc/passwd
-COPY --from=builder /etc/shadow /etc/shadow
+COPY --from=base /etc/passwd /etc/passwd
+COPY --from=base /etc/shadow /etc/shadow
+COPY --from=builder /aks-operator /usr/bin/aks-operator
 
 RUN rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/*
 
 ENV KUBECONFIG="/home/aks-operator/.kube/config"
 ENV SSL_CERT_DIR="/etc/rancher/ssl"
 
-COPY bin/aks-operator /usr/bin/
 COPY package/entrypoint.sh /usr/bin
 RUN chmod +x /usr/bin/entrypoint.sh