diff --git a/.github/workflows/ci.yml b/.github/workflows/cicd.yml
similarity index 75%
rename from .github/workflows/ci.yml
rename to .github/workflows/cicd.yml
index 3b451665..65313314 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/cicd.yml
@@ -1,10 +1,16 @@
-name: Python Tests
+name: CI/CD
 
 on:
   push:
     branches: [ "main" ]
   pull_request:
-    branches: [ "**"] # Adjust branches as needed
+    branches: [ "**" ] # Adjust branches as needed
+  release:
+    types: [published]
+
+permissions:
+  id-token: write # Required for OIDC
+  contents: read  # Required for checkout
 
 jobs:
   test:
@@ -45,6 +51,7 @@ jobs:
   start-runner:
     name: Start self-hosted EC2 runner
     runs-on: ubuntu-24.04
+    needs: test
     outputs:
       label: ${{ steps.start-ec2-runner.outputs.label }}
       ec2-instances-ids: ${{ steps.start-ec2-runner.outputs.ec2-instances-ids }}
@@ -168,3 +175,50 @@ jobs:
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           label: ${{ needs.start-runner.outputs.label }}
           ec2-instances-ids: ${{ needs.start-runner.outputs.ec2-instances-ids }}
+
+  deploy-images:
+    name: Publish ${{ matrix.component }} to ECR
+    needs: e2e-tests
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'release'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - component: vllm
+            docker_build_extra_args: ""
+          - component: attestation
+            docker_build_extra_args: ""
+          - component: api
+            docker_build_extra_args: "--target nilai --platform linux/amd64"
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: "arn:aws:iam::054037142884:role/nilai-github"
+          aws-region: "us-east-1"
+
+      - uses: aws-actions/amazon-ecr-login@v2
+        id: login-ecr
+        with:
+          registry-type: public
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Build and push ${{ matrix.component }} image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REGISTRY_ALIAS: k5d9x2g2
+          ECR_REPOSITORY: nilai-${{ matrix.component }}
+          IMAGE_TAG: ${{ github.event_name == 'release' && github.ref_name || github.sha }}
+        run: |
+          ECR_REGISTRY_URL="${ECR_REGISTRY}/${ECR_REGISTRY_ALIAS}/${ECR_REPOSITORY}"
+
+          docker build \
+            --push \
+            -f docker/${{ matrix.component }}.Dockerfile \
+            -t ${ECR_REGISTRY_URL}:${IMAGE_TAG} \
+            ${{ matrix.docker_build_extra_args }} \
+            .
+
+          echo "Pushed ${{ matrix.component }} image: ${ECR_REGISTRY_URL}:${IMAGE_TAG}" >> $GITHUB_STEP_SUMMARY
diff --git a/nilai-api/pyproject.toml b/nilai-api/pyproject.toml
index 36c16896..079934aa 100644
--- a/nilai-api/pyproject.toml
+++ b/nilai-api/pyproject.toml
@@ -43,4 +43,6 @@ build-backend = "hatchling.build"
 [tool.uv.sources]
 nilai-common = { workspace = true }
 nuc-helpers = { workspace = true }
-nuc = { git = "https://github.com/NillionNetwork/nuc-py.git", tag = "54c7171e0e30fc9a68ba9e307bb6e92a0690f4d8" }
+
+nuc = { git = "https://github.com/NillionNetwork/nuc-py.git", rev = "4922b5e9354e611cc31322d681eb29da05be584e" }
+
diff --git a/nilai-auth/nuc-helpers/pyproject.toml b/nilai-auth/nuc-helpers/pyproject.toml
index 9d8831dd..517fffd6 100644
--- a/nilai-auth/nuc-helpers/pyproject.toml
+++ b/nilai-auth/nuc-helpers/pyproject.toml
@@ -20,4 +20,6 @@ requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [tool.uv.sources]
-nuc = { git = "https://github.com/NillionNetwork/nuc-py.git", tag = "54c7171e0e30fc9a68ba9e307bb6e92a0690f4d8" }
+
+nuc = { git = "https://github.com/NillionNetwork/nuc-py.git", rev = "4922b5e9354e611cc31322d681eb29da05be584e" }
+
diff --git a/uv.lock b/uv.lock
index f91a90ef..b532ddb1 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1387,7 +1387,7 @@ requires-dist = [
     { name = "httpx", specifier = ">=0.27.2" },
     { name = "nilai-common", editable = "packages/nilai-common" },
     { name = "nilrag", specifier = ">=0.1.11" },
-    { name = "nuc", git = "https://github.com/NillionNetwork/nuc-py.git?tag=4922b5e9354e611cc31322d681eb29da05be584e" },
+    { name = "nuc", git = "https://github.com/NillionNetwork/nuc-py.git?rev=4922b5e9354e611cc31322d681eb29da05be584e" },
     { name = "nuc-helpers", editable = "nilai-auth/nuc-helpers" },
     { name = "openai", specifier = ">=1.59.9" },
     { name = "pg8000", specifier = ">=1.31.2" },
@@ -1511,7 +1511,7 @@ wheels = [
 [[package]]
 name = "nuc"
 version = "0.0.0a0"
-source = { git = "https://github.com/NillionNetwork/nuc-py.git?tag=4922b5e9354e611cc31322d681eb29da05be584e#4922b5e9354e611cc31322d681eb29da05be584e" }
+source = { git = "https://github.com/NillionNetwork/nuc-py.git?rev=4922b5e9354e611cc31322d681eb29da05be584e#4922b5e9354e611cc31322d681eb29da05be584e" }
 dependencies = [
     { name = "cosmpy" },
     { name = "requests" },
@@ -1534,7 +1534,7 @@ dependencies = [
 requires-dist = [
     { name = "cosmpy", specifier = "==0.9.2" },
     { name = "httpx", specifier = ">=0.28.1" },
-    { name = "nuc", git = "https://github.com/NillionNetwork/nuc-py.git?tag=4922b5e9354e611cc31322d681eb29da05be584e" },
+    { name = "nuc", git = "https://github.com/NillionNetwork/nuc-py.git?rev=4922b5e9354e611cc31322d681eb29da05be584e" },
     { name = "pydantic", specifier = ">=2.11.2" },
     { name = "secp256k1", specifier = ">=0.14.0" },
 ]