diff --git a/.dockerignore b/.dockerignore
index fec1a0d..39f000a 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,12 @@
-# Only allow access to cost-manager binary
-*
-!/bin/cost-manager
+.dockerignore
+Dockerfile
+
+.git/
+.gitignore
+
+bin/
+
+LICENSE
+README.md
+
+charts/
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 62241ce..5c077e6 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,38 +1,48 @@
 name: ci
 on: push
+# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#comments-and-annotations
+permissions:
+  contents: read
+  pull-requests: read
+  checks: write
 jobs:
-  # https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
-  build:
+  # https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
+  lint:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Setup Go
-      uses: actions/setup-go@v4
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v4
       with:
         go-version: '1.21'
-    - name: Download dependencies
-      run: go mod download
-    - name: Test
-      run: make test
-    - name: Build
-      run: make build
-    - name: Upload binary
-      uses: actions/upload-artifact@v3
+        cache: false
+    - name: golangci-lint
+      uses: golangci/golangci-lint-action@v3
       with:
-        name: cost-manager
-        path: ./bin/cost-manager
+        version: v1.54
+        args: --timeout=10m
+  # https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.21'
+    - run: go mod download
+    - run: make test
+    - run: make build
   # https://docs.docker.com/build/ci/github-actions/multi-platform/
-  release:
-    # Only build Docker image for repository PRs since secrets are not available to forks:
-    # https://github.com/orgs/community/discussions/25217#discussioncomment-3246904
+  build:
+    # Do not build Docker images for forked repositories since Docker Hub secrets are not available:
+    # https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
     if: ${{ ! github.event.pull_request.head.repo.fork }}
-    # We require the cost-manager binary artifact from the build job
-    needs: build
+    # Make sure the tests have passed before building
+    needs:
+    - lint
+    - test
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
+    - uses: actions/checkout@v4
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
     - name: Set up Docker Buildx
@@ -42,11 +52,6 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - name: Download binary
-      uses: actions/download-artifact@v3
-      with:
-        name: cost-manager
-        path: ./bin/cost-manager
     - name: Build and push
       uses: docker/build-push-action@v5
       # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
@@ -58,3 +63,6 @@ jobs:
         platforms: linux/amd64
         push: true
         tags: ${{ secrets.DOCKERHUB_USERNAME }}/cost-manager:${{ env.BRANCH == 'main' && 'latest' || env.BRANCH }}
+        # https://docs.docker.com/build/ci/github-actions/cache/#registry-cache
+        cache-from: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/cost-manager:buildcache
+        cache-to: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/cost-manager:buildcache,mode=max
diff --git a/Dockerfile b/Dockerfile
index fa925d0..ab4dbe7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,16 @@
+FROM golang:1.21 as build
+
+WORKDIR /go/src/cost-manager
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+# Build static cost-manager binary
+RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /go/bin/cost-manager
+
 FROM gcr.io/distroless/static-debian12:nonroot
 
-COPY ./bin/cost-manager /
+COPY --from=build /go/bin/cost-manager /
 ENTRYPOINT ["/cost-manager"]
diff --git a/Makefile b/Makefile
index 6be5c25..eddcf1f 100644
--- a/Makefile
+++ b/Makefile
@@ -2,10 +2,10 @@ test:
 	go test -race ./...
 
 build:
-	CGO_ENABLED=0 go build -tags netgo -ldflags="-s -w" -o ./bin/cost-manager
+	go build -o ./bin/cost-manager
 
 run: build
 	./bin/cost-manager
 
-image: build
+image:
 	docker build -t cost-manager .