diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
index 8dd0efd..c1ae502 100644
--- a/.github/workflows/build-images.yml
+++ b/.github/workflows/build-images.yml
@@ -16,7 +16,8 @@ on:
   workflow_dispatch:
 
 env:
-  PUSH_IMAGES: true
+  PUSH_IMAGES: ${{ github.ref == 'refs/heads/trunk' }}
+  PROVENANCE: false
 
 jobs:
   build-base-images:
@@ -34,6 +35,7 @@ jobs:
             supported_platforms:
               - linux/amd64
               - linux/arm64
+              - linux/arm64/v8
           - context: base/alpine
             image_name: ${{ github.repository_owner }}/alpine
             description: "Alpine Linux"
@@ -42,6 +44,7 @@ jobs:
               - linux/arm64
               - linux/arm/v7
               - linux/arm/v8
+              - linux/arm64/v8
           - context: base/debian
             image_name: ${{ github.repository_owner }}/debian
             description: "Debian Linux (Slim)"
@@ -50,6 +53,7 @@ jobs:
               - linux/arm64
               - linux/arm/v7
               - linux/arm/v8
+              - linux/arm64/v8
     outputs:
       digests: ${{ steps.build-push-image.outputs.digest }}
     steps:
@@ -80,18 +84,22 @@ jobs:
         with:
           context: ${{ matrix.images.context }}
           file: ${{ matrix.images.context }}/Dockerfile
-          push: true
-          provenance: true
+          push: ${{ env.PUSH_IMAGES }}
+          provenance: ${{ env.PROVENANCE }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           tags: |
             ${{ matrix.images.image_name }}:latest
             ghcr.io/${{ matrix.images.image_name }}:latest
+            ${{ matrix.images.image_name }}:${{ github.sha }}
+            ghcr.io/${{ matrix.images.image_name }}:${{ github.sha }}
           platforms: ${{ join(matrix.images.supported_platforms, ',') }}
           labels: |-
             org.opencontainers.image.vendor=${{ github.repository_owner }}
             org.opencontainers.image.source=https://github.com/${{ github.repository}}
             org.opencontainers.image.description=${{ matrix.images.description }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.title=${{ matrix.images.image_name }}
 
   build-tool-images:
     needs: build-base-images
@@ -111,6 +119,7 @@ jobs:
               - linux/arm64
               - linux/arm/v7
               - linux/arm/v8
+              - linux/arm64/v8
           - context: tools/kubectl
             image_name: ${{ github.repository_owner }}/kubectl
             description: "Kubectl is a CLI tool for running commands against Kubernetes clusters."
@@ -147,14 +156,19 @@ jobs:
           context: ${{ matrix.images.context }}
           file: ${{ matrix.images.context }}/Dockerfile
           push: ${{ env.PUSH_IMAGES}}
-          provenance: true
+          provenance: ${{ env.PROVENANCE }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           tags: |
             ${{ matrix.images.image_name }}:latest
             ghcr.io/${{ matrix.images.image_name }}:latest
+            ${{ matrix.images.image_name }}:${{ github.sha }}
+            ghcr.io/${{ matrix.images.image_name }}:${{ github.sha }}
           platforms: ${{ join(matrix.images.supported_platforms, ',') }}
           labels: |-
             org.opencontainers.image.vendor=${{ github.repository_owner }}
             org.opencontainers.image.source=https://github.com/${{ github.repository}}
             org.opencontainers.image.description=${{ matrix.images.description }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.title=${{ matrix.images.image_name }}
+            org.opencontainers.image.version=${{ github.ref }}
diff --git a/tools/kubectl/Dockerfile b/tools/kubectl/Dockerfile
index 759993a..30e06f7 100644
--- a/tools/kubectl/Dockerfile
+++ b/tools/kubectl/Dockerfile
@@ -6,14 +6,15 @@ LABEL org.opencontainers.image.authors="iodeslykos <42@iodeslykos.com>"
 
 ARG VERSION=v1.29.0
 ARG TARGETPLATFORM
+ARG TARGETARCH
+ARG TARGETOS
 ENV USER=outis
 
 WORKDIR /tmp
 
 # hadolint ignore=DL4006
-RUN TARGET_ARCH=$(echo "${TARGETPLATFORM}" | cut -d '/' -f2) \
-    && curl -LO "https://dl.k8s.io/release/${VERSION}/bin/linux/${TARGET_ARCH}/kubectl" \
-    && curl -LO "https://dl.k8s.io/${VERSION}/bin/linux/${TARGET_ARCH}/kubectl.sha256" \
+RUN curl -LO "https://dl.k8s.io/release/${VERSION}/bin/linux/${TARGETARCH}/kubectl" \
+    && curl -LO "https://dl.k8s.io/${VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256" \
     && echo "$(cat kubectl.sha256) kubectl" | sha256sum -c - \
     && mv kubectl /usr/local/bin/kubectl \
     && chmod +x /usr/local/bin/kubectl
diff --git a/tools/opentofu/Dockerfile b/tools/opentofu/Dockerfile
index e2dbf2d..fca36eb 100644
--- a/tools/opentofu/Dockerfile
+++ b/tools/opentofu/Dockerfile
@@ -8,6 +8,8 @@ LABEL org.opencontainers.image.source="https://github.com/opentofu/opentofu/"
 
 ARG WORKDIR=/tmp/opentofu
 ARG TARGETPLATFORM
+ARG TARGETARCH
+ARG TARGETOS
 ARG APP=tofu
 ARG VERSION='1.6.0'
 
@@ -17,12 +19,11 @@ WORKDIR ${WORKDIR}
 
 # hadolint ignore=DL3018
 RUN apk add --no-cache \
-    curl
+        curl
 
 # hadolint ignore=DL4006
-RUN TARGET_ARCH=$(echo "${TARGETPLATFORM}" | cut -d '/' -f2) \
-    && curl -fsSL -o "${WORKDIR}/${APP}.apk" \
-        "https://github.com/opentofu/opentofu/releases/download/v${VERSION}/${APP}_${VERSION}_${TARGET_ARCH}.apk" \
+RUN curl -fsSL -o "${WORKDIR}/${APP}.apk" \
+        "https://github.com/opentofu/opentofu/releases/download/v${VERSION}/${APP}_${VERSION}_${TARGETARCH}.apk" \
     && apk add --no-cache --allow-untrusted \
         "${WORKDIR}/${APP}.apk" \
         && rm -rf "${WORKDIR}/${APP}.apk"