diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 16edf87..85df6ff 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,5 +1,9 @@
 name: Build
 
+permissions:
+  contents: read
+  packages: write
+
 on:
   push:
     branches:
@@ -38,6 +42,19 @@ jobs:
         if: github.event_name == 'release'
         run: echo "RELEASE_TAG=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
 
+      - name: Get merge request latest commit
+        if: ${{ github.event_name == 'pull_request' }}
+        id: parse-commit-sha
+        run: |
+          head=$(git rev-parse HEAD)
+          echo "head_commit_sha=${head}" >> $GITHUB_ENV
+          echo "Head commit sha ${head}"
+
+      - name: Secret Scanning
+        uses: trufflesecurity/trufflehog@main
+        with:
+          extra_args: --only-verified
+
       - name: Build Go binary amd64
         run: go build -ldflags "-s -w -X main.GitCommit=$GITHUB_SHA -X main.GitRef=$GITHUB_REF -X main.Version=${RELEASE_TAG:-commit-$GITHUB_SHA}" -o bin/castai-agent-amd64 .
         env:
@@ -56,19 +73,36 @@ jobs:
         run: go test -race ./...
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Google Artifact Registry
         if: github.event_name == 'release'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: us-docker.pkg.dev
           username: _json_key
           password: ${{ secrets.ARTIFACT_BUILDER_JSON_KEY }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: ${{ github.event_name == 'pull_request' }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push pr
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          push: true
+          platforms: linux/arm64,linux/amd64
+          tags: ghcr.io/castai/k8s-agent:${{ env.head_commit_sha }}
+
       - name: Build and push main
         if: github.event_name != 'release'
         uses: docker/build-push-action@v3
@@ -141,4 +175,10 @@ jobs:
         with:
           files: |
             bin/castai-agent-amd64
-            bin/castai-agent-arm64
\ No newline at end of file
+            bin/castai-agent-arm64
+
+      - name: Summary
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          echo "**Pushed docker images:**" >> $GITHUB_STEP_SUMMARY
+          echo "ghcr.io/castai/k8s-agent:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY