diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index baee4c1..ff131b2 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -1,36 +1,95 @@
 # .github/workflows/release-docker.yml
 name: Publish Docker image
+
+###############################################################################
+# Triggers
+###############################################################################
 on:
+  # 1️⃣  Traditional: run automatically when a GitHub Release is published
   release:
     types: [published]
+
+  # 2️⃣  Option 2: run every time the build-and-release workflow
+  #     completes successfully on the main branch
+  workflow_run:
+    workflows: ["build-and-release"]
+    types: [completed]
+    branches: [main]
+
+  # 3️⃣  Manual: “Run workflow” button or `gh workflow run`
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag to push (leave blank → latest release)"
+        required: false
+        type: string
+
+###############################################################################
 permissions:
-  contents: read
-  packages: write
+  contents: read       # needed for checkout + GH API
+  packages: write      # push to ghcr.io
+
+###############################################################################
 jobs:
   build-and-push:
+    # Only run on workflow_run if the upstream workflow succeeded
+    if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
 
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Prepare release tag
-        id: tag
-        run: |
-          TAG=${RELEASE_TAG#v}
-          echo "tag=$TAG" >>"$GITHUB_OUTPUT"
-        env:
-          RELEASE_TAG: ${{ github.event.release.tag_name }}
-      - uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: docker/Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ghcr.io/mongodb/kingfisher:latest
-            ghcr.io/mongodb/kingfisher:${{ steps.tag.outputs.tag }}
+    steps:
+    # -----------------------------------------------------------------------
+    # Check out the exact commit that produced the artifacts (workflow_run),
+    # otherwise just use the SHA tied to the release / manual dispatch.
+    # -----------------------------------------------------------------------
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
+
+    # -----------------------------------------------------------------------
+    # Decide which tag we’re going to publish
+    # -----------------------------------------------------------------------
+    - name: Determine tag
+      id: tag
+      shell: bash
+      env:
+        # populated only for workflow_dispatch
+        MANUAL_TAG: ${{ github.event.inputs.tag }}
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        set -euo pipefail
+        if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
+          RAW_TAG="${{ github.event.release.tag_name }}"
+        elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${MANUAL_TAG}" ]]; then
+          RAW_TAG="${MANUAL_TAG}"
+        else
+          # workflow_run (or manual w/o tag) → ask GitHub API for latest release tag
+          RAW_TAG=$(curl -sSL -H "Authorization: Bearer ${GH_TOKEN}" \
+                   "https://api.github.com/repos/${{ github.repository }}/releases/latest" \
+                   | jq -r .tag_name)
+        fi
+
+        # Strip a leading "v" so v1.2.3 → 1.2.3
+        TAG=${RAW_TAG#v}
+        echo "Selected tag: ${TAG}"
+        echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"
+
+    # -----------------------------------------------------------------------
+    # Build & push
+    # -----------------------------------------------------------------------
+    - uses: docker/setup-buildx-action@v3
+
+    - uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: docker/Dockerfile
+        platforms: linux/amd64,linux/arm64
+        push: true
+        tags: |
+          ghcr.io/mongodb/kingfisher:latest
+          ghcr.io/mongodb/kingfisher:${{ steps.tag.outputs.tag }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81b32a1..dffce78 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 - Updating GitHub Action to generate Docker image
 - Added rules for Diffbot, ai21, baseten
 - Fixed supabase rule
+- Added 'alg' to JWT validation output
 
 ## [1.22.0]
 - Added rules for Google Gemini AI, Cohere, Stability.ai, Replicate, Runway, Clarifai