diff --git a/.github/workflows/docker_build.yaml b/.github/workflows/docker_build.yaml
index 0da34ad6c..517715d9b 100644
--- a/.github/workflows/docker_build.yaml
+++ b/.github/workflows/docker_build.yaml
@@ -18,13 +18,13 @@ on:
         default: ''
 
 permissions:
-  contents: write
+  contents: write # Needed for pushing tags
+  packages: write # Needed for pushing docker images to GHCR
 
 jobs:
   tag_release:
     runs-on: ubuntu-latest
-    env:
-      IMAGE_TAG: ${{ needs.tag_release.outputs.new_tag }}
+    # Removed env: IMAGE_TAG here, it's not used correctly across jobs
     outputs:
       # Define output to pass the tag to the next job
       new_tag: ${{ steps.tag_version.outputs.next_version }}
@@ -36,6 +36,8 @@ jobs:
           fetch-depth: 0
           # Checkout the specific branch if provided, otherwise default
           ref: ${{ github.event.inputs.branch }}
+          # Token needed to push tags back
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Get latest SemVer tag and calculate next version
         id: tag_version
@@ -49,13 +51,19 @@ jobs:
 
           if [ -z "$LATEST_TAG" ]; then
             echo "No previous SemVer tag found. Starting with v0.1.0"
-            NEXT_VERSION="v0.1.0"
-            # Optionally adjust starting version based on bump_type, but v0.1.0 is common start
-            if [ "${{ github.event.inputs.bump_type }}" == "minor" ]; then
-              NEXT_VERSION="v0.1.0" # Or maybe v0.1.0 ? Depends on convention
-            elif [ "${{ github.event.inputs.bump_type }}" == "major" ]; then
-              NEXT_VERSION="v1.0.0" # Or maybe v1.0.0 ? Depends on convention
-            fi
+            # Determine initial version based on bump type (optional, v0.1.0 is often fine)
+            case "${{ github.event.inputs.bump_type }}" in
+              patch|minor)
+                NEXT_VERSION="v0.1.0"
+                ;;
+              major)
+                NEXT_VERSION="v1.0.0"
+                ;;
+              *) # Should not happen due to 'choice' input, but good practice
+                echo "Invalid bump type: ${{ github.event.inputs.bump_type }}"
+                exit 1
+                ;;
+            esac
           else
             echo "Latest tag found: $LATEST_TAG"
             # Remove 'v' prefix for calculation
@@ -94,32 +102,41 @@ jobs:
 
       - name: Create and Push Tag
         run: |
+          # Configure Git user identity for annotated tag (FIX)
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+
           NEXT_TAG="${{ steps.tag_version.outputs.next_version }}"
           COMMIT_SHA=$(git rev-parse HEAD)
           echo "Tagging commit $COMMIT_SHA with $NEXT_TAG"
 
-          # Create an annotated tag (recommended)
+          # Create an annotated tag (recommended) - this requires user.name/email
           git tag -a "$NEXT_TAG" -m "Release $NEXT_TAG"
 
           # Push the tag to the remote repository
+          echo "Pushing tag $NEXT_TAG to origin"
           git push origin "$NEXT_TAG"
 
       - name: Verify Tag Push
         run: |
           echo "Checking if tag ${{ steps.tag_version.outputs.next_version }} exists remotely..."
+          # Give remote a second to update
+          sleep 5
           git ls-remote --tags origin | grep "refs/tags/${{ steps.tag_version.outputs.next_version }}" || (echo "Tag push verification failed!" && exit 1)
           echo "Tag successfully pushed."
 
-  build__and_push_docker_image:
+  build_and_push_docker_image: # Renamed job slightly for clarity
     runs-on: ubuntu-latest
-    needs: tag_release
+    needs: tag_release # Depends on the tag being created successfully
     permissions:
-      packages: write
-      contents: read
+      packages: write # Need permission to write to GHCR
+      contents: read # Need permission to read repo contents (checkout)
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        # No need to checkout specific ref here, use default branch code
+        # The tag is just metadata for the Docker image version
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -137,12 +154,19 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository_owner }}/surfsense_backend
           tags: |
-            type=raw,value=0.0.1
+            # Use the tag generated in the previous job (FIX)
+            type=raw,value=${{ needs.tag_release.outputs.new_tag }}
+            # Optionally add 'latest' tag if building from the default branch
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.event.inputs.branch == github.event.repository.default_branch }}
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           context: ./surfsense_backend
           push: true
-          tags: $IMAGE_TAG
+          # Use the tags generated by the metadata action (FIX)
+          tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          # Optional: Add build cache for faster builds
+          cache-from: type=gha
+          cache-to: type=gha,mode=max