diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml
index deb811a2b..3d47d3c67 100644
--- a/.github/workflows/ci-docker.yml
+++ b/.github/workflows/ci-docker.yml
@@ -5,6 +5,10 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -14,12 +18,43 @@ jobs:
         uses: docker/setup-qemu-action@v3
       - name: Set up buildx
         uses: docker/setup-buildx-action@v3
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate version information
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=tag,enable=${{ !startsWith(github.ref, 'refs/tags/v') }}
+            type=ref,event=pr
+            type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=semver,pattern={{major}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+          flavor: |
+            latest=${{ startsWith(github.ref, 'refs/tags/v') }}
       - name: Build image
-        uses: docker/build-push-action@v5
+        id: build
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/arm/v7,windows/amd64
-          push: false
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           pull: true
           cache-from: type=gha, scope=${{ github.workflow }}
           cache-to: type=gha, scope=${{ github.workflow }}
+      - name: Generate build provenance attestation
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
diff --git a/docs/changelog.md b/docs/changelog.md
index 00aec595e..f477c3cc5 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -98,6 +98,7 @@ Use past tense when adding new entries; sign your name off when you add or chang
 * Rewrote the `.dockerignore` file into a denylist. (@timschumi)
 * Added CI for Docker images. (@timschumi)
 * Fixed Cursed Flares kicking players for invalid buff. (@Arthri)
+* Added automatic publishing of Docker images to GHCR. (@timschumi)
 
 ## TShock 5.2
 * An additional option `pvpwithnoteam` is added at `PvPMode` to enable PVP with no team. (@CelestialAnarchy, #2617, @ATFGK)
diff --git a/docs/docker.md b/docs/docker.md
index ca0185103..afc4bdfc9 100644
--- a/docs/docker.md
+++ b/docs/docker.md
@@ -14,32 +14,27 @@ Open ports can also be passed through using `-p <host_port>:<container_port>`.
 
 For Example:
 ```bash
-# Building the image using buildx and loading it into docker
-docker buildx build -t tshock:latest --load .
-
-# Running the image
 docker run -p 7777:7777 -p 7878:7878 \
            -v /home/cider/tshock/:/tshock \
            -v /home/cider/.local/share/Terraria/Worlds:/worlds \
            -v /home/cider/tshock/plugins:/plugins \
-           --rm -it tshock:latest \
+           --rm -it ghcr.io/pryaxis/tshock:latest \
            -world /worlds/backflip.wld -motd "OMFG DOCKER"
 ```
 
-## Building for Other Platforms
+## Building custom images
 
-Using `docker buildx`, you could build [multi-platform images](https://docs.docker.com/build/building/multi-platform/) for TShock.
+Occasionally, it may be necessary to adjust TShock with customizations that are not included in the upstream project.
+Therefore, these changes are also not available in the officially provided Docker images.
+
+To build and load a Docker image from your local checkout, use the following `buildx` command:
 
-For Example:
 ```bash
-# Building the image using buildx and loading it into docker
-docker buildx build -t tshock:linux-arm64 --platform linux/arm64 --load .
+docker buildx build -t tshock:latest --load .
+```
 
-# Running the image
-docker run -p 7777:7777 -p 7878:7878 \
-           -v /home/cider/tshock/:/tshock \
-           -v /home/cider/.local/share/Terraria/Worlds:/worlds \
-           -v /home/cider/tshock/plugins:/plugins \
-           --rm -it tshock:linux-arm64 \
-           -world /worlds/backflip.wld -motd "ARM64 ftw"
+It is also possible to build [multi-platform images](https://docs.docker.com/build/building/multi-platform/) for TShock (e.g. an image targeting `arm64`, on a host that is not `arm64`):
+
+```bash
+docker buildx build -t tshock:linux-arm64 --platform linux/arm64 --load .
 ```