diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml
new file mode 100644
index 0000000..4485ca0
--- /dev/null
+++ b/.github/workflows/publish-image.yml
@@ -0,0 +1,58 @@
+name: Build and Publish Container Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  release:
+    types: [published]
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Derive image name (lowercase owner)
+        id: names
+        run: |
+          echo "OWNER_LC=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_ENV
+          echo "IMAGE=${REGISTRY}/${GITHUB_REPOSITORY_OWNER,,}/slinky" >> $GITHUB_ENV
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE }}
+          tags: |
+            type=ref,event=tag
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=v1
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+
diff --git a/action.yml b/action.yml
index b85b2b1..b4a9315 100644
--- a/action.yml
+++ b/action.yml
@@ -49,7 +49,7 @@ inputs:
 
 runs:
   using: "docker"
-  image: "Dockerfile"
+  image: "docker://ghcr.io/lukehagar/slinky:v1"
   args: []
   env:
     INPUT_PATH: ${{ inputs.path }}
diff --git a/entrypoint.sh b/entrypoint.sh
index 8dbc79a..39b2dd1 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -12,26 +12,28 @@ FAIL_ON_FAILURES_ARG="${INPUT_FAIL_ON_FAILURES:-true}"
 COMMENT_PR_ARG="${INPUT_COMMENT_PR:-true}"
 STEP_SUMMARY_ARG="${INPUT_STEP_SUMMARY:-true}"
 
-ARGS="check \"${PATH_ARG}\" --concurrency ${CONCURRENCY_ARG} --timeout ${TIMEOUT_ARG}"
+# Build argv safely
+set -- check "$PATH_ARG" --concurrency "$CONCURRENCY_ARG" --timeout "$TIMEOUT_ARG"
 if [ "${FAIL_ON_FAILURES_ARG}" = "true" ]; then
-  ARGS="$ARGS --fail-on-failures true"
+  set -- "$@" --fail-on-failures true
 else
-  ARGS="$ARGS --fail-on-failures false"
+  set -- "$@" --fail-on-failures false
 fi
+
 if [ -n "${PATTERNS_ARG}" ]; then
-  NORM_PATTERNS=$(printf "%s" "${PATTERNS_ARG}" | sed 's/,\s*/,/g')
+  NORM_PATTERNS=$(printf "%s" "${PATTERNS_ARG}" | sed 's/,[[:space:]]*/,/g')
   IFS=','
-  set -- $NORM_PATTERNS
-  unset IFS
-  for pat in "$@"; do
-    ARGS="$ARGS --patterns \"$pat\""
+  for pat in $NORM_PATTERNS; do
+    set -- "$@" --patterns "$pat"
   done
+  unset IFS
 fi
+
 if [ -n "${JSON_OUT_ARG}" ]; then
-  ARGS="$ARGS --json-out \"${JSON_OUT_ARG}\""
+  set -- "$@" --json-out "$JSON_OUT_ARG"
 fi
 if [ -n "${MD_OUT_ARG}" ]; then
-  ARGS="$ARGS --md-out \"${MD_OUT_ARG}\""
+  set -- "$@" --md-out "$MD_OUT_ARG"
 fi
 
 # Compute GitHub blob base URL for file links used in the Markdown report
@@ -50,15 +52,16 @@ elif [ -n "${GITHUB_REPOSITORY:-}" ]; then
   fi
 fi
 
-eval slinky ${ARGS}
+# Execute
+slinky "$@"
 
-# Expose outputs
+# Expose outputs (use underscore names)
 if [ -n "${GITHUB_OUTPUT:-}" ]; then
   if [ -n "${JSON_OUT_ARG}" ]; then
-    echo "json-path=${JSON_OUT_ARG}" >> "$GITHUB_OUTPUT"
+    echo "json_path=${JSON_OUT_ARG}" >> "$GITHUB_OUTPUT"
   fi
   if [ -n "${MD_OUT_ARG}" ]; then
-    echo "md-path=${MD_OUT_ARG}" >> "$GITHUB_OUTPUT"
+    echo "md_path=${MD_OUT_ARG}" >> "$GITHUB_OUTPUT"
   fi
 fi