diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
deleted file mode 100644
index 8dd330c..0000000
--- a/.github/workflows/build-image.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-name: Build and Push Docker Image
-
-# Builds linux/amd64 on GitHub-hosted runners (native amd64) so arm64 dev
-# machines don't need cross-compilation. Triggers on changes to the image or
-# VERSION, and can be run manually from any branch for ad-hoc builds.
-#
-# Required repository secrets:
-#   DOCKERHUB_USERNAME  - Docker Hub username
-#   DOCKERHUB_TOKEN     - Docker Hub access token (read/write)
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'image/**'
-      - 'VERSION'
-  pull_request:
-    paths:
-      - 'image/**'
-      - 'VERSION'
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build image
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Read version
-        id: version
-        run: echo "version=$(cat VERSION)" >> "$GITHUB_OUTPUT"
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to Docker Hub
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: image
-          platforms: linux/amd64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: |
-            ddev/coder-ddev:${{ steps.version.outputs.version }}
-            ddev/coder-ddev:latest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
diff --git a/.github/workflows/push-image.yml b/.github/workflows/push-image.yml
new file mode 100644
index 0000000..ad6ec53
--- /dev/null
+++ b/.github/workflows/push-image.yml
@@ -0,0 +1,55 @@
+name: Push Image
+
+# Builds linux/amd64 on GitHub-hosted runners (native amd64) so arm64 dev
+# machines don't need cross-compilation. Triggered manually only.
+#
+# Required repository secrets:
+#   PUSH_SERVICE_ACCOUNT_TOKEN - 1Password service account token
+# Required repository variables:
+#   DOCKERHUB_USERNAME - Docker Hub username
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Read version
+        id: version
+        run: echo "version=$(cat VERSION)" >> "$GITHUB_OUTPUT"
+
+      - name: Load 1password secret(s)
+        uses: 1password/load-secrets-action@v4
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: "${{ secrets.PUSH_SERVICE_ACCOUNT_TOKEN }}"
+          DOCKERHUB_TOKEN: "op://push-secrets/DOCKERHUB_TOKEN/credential"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: image
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ddev/coder-ddev:${{ steps.version.outputs.version }}
+            ddev/coder-ddev:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/docs/admin/operations-guide.md b/docs/admin/operations-guide.md
index fbb8ab7..2d6b6dd 100644
--- a/docs/admin/operations-guide.md
+++ b/docs/admin/operations-guide.md
@@ -83,6 +83,29 @@ make info
 
 See `image/README.md` for details on customizing the Docker image.
 
+### Using GitHub Actions (push-image workflow)
+
+The repository has a manually triggered workflow (`.github/workflows/push-image.yml`) that builds and pushes the image to Docker Hub from GitHub's infrastructure. This is the preferred approach for official releases.
+
+**Prerequisites — configure once in GitHub repository settings:**
+
+- **Secret** `PUSH_SERVICE_ACCOUNT_TOKEN` — 1Password service account token (from the `push-secrets` vault)
+- **Variable** `DOCKERHUB_USERNAME` — Docker Hub username (e.g. `ddev`)
+
+The workflow reads `DOCKERHUB_TOKEN` from 1Password at `op://push-secrets/DOCKERHUB_TOKEN/credential` using the service account token.
+
+**To trigger a push:**
+
+1. Update `VERSION` and commit/merge to the branch you want to build from.
+2. Go to **Actions → Push Image → Run workflow** in the GitHub UI, select the branch, and click **Run workflow**.
+3. The workflow builds `linux/amd64`, tags the image as both `ddev/coder-ddev:<version>` and `ddev/coder-ddev:latest`, and pushes to Docker Hub.
+
+Alternatively, trigger via the CLI:
+
+```bash
+gh workflow run push-image.yml --ref <branch>
+```
+
 ## Deploying the Template
 
 ### Using the Makefile