diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
index 13553bf8..1d7b2efd 100644
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@@ -133,7 +133,7 @@ jobs:
         prerelease: true
 
   docker-snapshot:
-    name: Build & Push Snapshot Docker Image
+    name: Build & Push Snapshot Image (ko)
     runs-on: ubuntu-latest
     needs: test
     permissions:
@@ -144,40 +144,29 @@ jobs:
     - name: Check out code
       uses: actions/checkout@v4
 
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.26'
+        cache: true
 
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+    - name: Set up ko
+      uses: ko-build/setup-ko@v0.9
 
     - name: Log in to GitHub Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | ko login ghcr.io --username ${{ github.actor }} --password-stdin
 
-    - name: Extract metadata
-      id: meta
-      uses: docker/metadata-action@v5
-      with:
-        images: ghcr.io/${{ github.repository }}
-        tags: |
-          type=raw,value=snapshot
-          type=sha,prefix=main-
-
-    # The Dockerfile is a multi-stage build that builds the UI and embeds it
-    # into the Go binary automatically — no separate UI artifact needed here.
-    - name: Build and push snapshot image
-      uses: docker/build-push-action@v6
-      with:
-        context: .
-        file: ./Dockerfile
-        push: true
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-        platforms: linux/amd64,linux/arm64
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-        build-args: |
-          NPM_TOKEN=${{ secrets.GITHUB_TOKEN }}
+    - name: Build and push snapshot
+      env:
+        KO_DOCKER_REPO: ghcr.io/${{ github.repository }}
+        GOPRIVATE: github.com/GoCodeAlone/*
+        GONOSUMCHECK: github.com/GoCodeAlone/*
+        GOFLAGS: -mod=mod
+      run: |
+        SHA_SHORT="${GITHUB_SHA:0:7}"
+
+        ko build ./cmd/server \
+          --bare \
+          --platform=linux/amd64,linux/arm64 \
+          --tags="snapshot,main-sha-${SHA_SHORT}" \
+          --sbom=spdx
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dc437f4b..abf79d50 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -94,7 +94,7 @@ jobs:
         retention-days: 1
 
   docker:
-    name: Build & Push Docker Image
+    name: Build & Push Container Image (ko)
     runs-on: ubuntu-latest
     needs: test
     permissions:
@@ -105,44 +105,39 @@ jobs:
     - name: Check out code
       uses: actions/checkout@v4
 
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.26'
+        cache: true
 
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+    - name: Set up ko
+      uses: ko-build/setup-ko@v0.9
 
     - name: Log in to GitHub Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | ko login ghcr.io --username ${{ github.actor }} --password-stdin
 
-    - name: Extract metadata
-      id: meta
-      uses: docker/metadata-action@v5
-      with:
-        images: ghcr.io/${{ github.repository }}
-        tags: |
-          type=semver,pattern={{version}},value=${{ env.TAG_NAME }}
-          type=semver,pattern={{major}}.{{minor}},value=${{ env.TAG_NAME }}
-          type=sha
-
-    # The Dockerfile is a multi-stage build that builds the UI and embeds it
-    # into the Go binary automatically — no separate UI artifact needed here.
     - name: Build and push
-      uses: docker/build-push-action@v6
-      with:
-        context: .
-        file: ./Dockerfile
-        push: true
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-        platforms: linux/amd64,linux/arm64
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-        build-args: |
-          NPM_TOKEN=${{ secrets.GITHUB_TOKEN }}
+      env:
+        KO_DOCKER_REPO: ghcr.io/${{ github.repository }}
+        GOPRIVATE: github.com/GoCodeAlone/*
+        GONOSUMCHECK: github.com/GoCodeAlone/*
+        GOFLAGS: -mod=mod
+      run: |
+        VERSION="${TAG_NAME#v}"
+        CORE_VERSION="${VERSION%%[-+]*}"
+        MAJOR_MINOR="$(echo "$CORE_VERSION" | cut -d. -f1-2)"
+        SHA_SHORT="${GITHUB_SHA:0:7}"
+
+        ko build ./cmd/server \
+          --bare \
+          --platform=linux/amd64,linux/arm64 \
+          --tags="${TAG_NAME},${VERSION},${MAJOR_MINOR},sha-${SHA_SHORT}" \
+          --sbom=spdx \
+          --image-refs=/tmp/image-refs.txt
+
+        echo "Pushed images:"
+        cat /tmp/image-refs.txt
 
   build-binaries:
     name: Build ${{ matrix.name }} binaries
diff --git a/.ko.yaml b/.ko.yaml
new file mode 100644
index 00000000..5cfaa015
--- /dev/null
+++ b/.ko.yaml
@@ -0,0 +1,9 @@
+defaultBaseImage: cgr.dev/chainguard/static@sha256:d6a97eb401cbc7c6d48be76ad81d7899b94303580859d396b52b67bc84ea7345
+builds:
+  - id: server
+    main: ./cmd/server
+    env:
+      - CGO_ENABLED=0
+    ldflags:
+      - -s
+      - -w
diff --git a/Dockerfile b/Dockerfile.legacy
similarity index 87%
rename from Dockerfile
rename to Dockerfile.legacy
index 3606ddc0..950f7fde 100644
--- a/Dockerfile
+++ b/Dockerfile.legacy
@@ -1,6 +1,7 @@
-# Multi-stage build for the Workflow engine server.
+# Legacy Dockerfile for local docker-compose development.
+# Production container builds use ko (see .ko.yaml).
 #
-# Build:   docker build -t workflow .
+# Build:   docker build -f Dockerfile.legacy -t workflow .
 # Run:     docker run -p 8080:8080 workflow -config /etc/workflow/config.yaml
 #
 # The admin UI is served by the external workflow-plugin-admin binary,
diff --git a/Makefile b/Makefile
index e8480d2e..8c39a95d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: build build-ui build-go test bench bench-baseline bench-compare lint fmt vet fix install-hooks clean
+.PHONY: build build-ui build-go test bench bench-baseline bench-compare lint fmt vet fix install-hooks clean ko-build
 
 # Common benchmark flags
 BENCH_FLAGS = -bench=. -benchmem -run=^$$ -timeout=30m
@@ -79,6 +79,10 @@ ci: fmt vet test lint
 run-admin: build
 	JWT_SECRET=$${JWT_SECRET:-workflow-admin-secret} ./server -config $(or $(CONFIG),example/chat-platform/workflow.yaml) --admin
 
+# Build container image with ko (requires ko: brew install ko)
+ko-build:
+	KO_DOCKER_REPO=ko.local ko build ./cmd/server --bare --platform=linux/$(shell go env GOARCH)
+
 # Clean build artifacts
 clean:
 	rm -f server
diff --git a/deploy/docker-compose/docker-compose.yml b/deploy/docker-compose/docker-compose.yml
index 181223eb..50ebf91a 100644
--- a/deploy/docker-compose/docker-compose.yml
+++ b/deploy/docker-compose/docker-compose.yml
@@ -11,7 +11,7 @@ services:
   workflow-server:
     build:
       context: ../..
-      dockerfile: Dockerfile
+      dockerfile: Dockerfile.legacy
     image: workflow-server:local
     container_name: workflow-server
     ports: