diff --git a/.github/workflows/cla-assistant.yml b/.github/workflows/cla-assistant.yml
index 63f9397..29b32fe 100644
--- a/.github/workflows/cla-assistant.yml
+++ b/.github/workflows/cla-assistant.yml
@@ -3,7 +3,7 @@ on:
   workflow_call:
     inputs:
       repository:
-        description: "The repository that the CLA is generated for"
+        description: "The repository that the CLA is generated for. Example `hello-world`."
         required: true
         type: string
       version:
@@ -43,7 +43,7 @@ jobs:
 
           # branch should not be protected
           branch: "main"
-          allowlist: ""
+          allowlist: "semantic-release-bot"
           lock-pullrequest-aftermerge: false
           use-dco-flag: false
 
diff --git a/.github/workflows/cla-internal.yml b/.github/workflows/cla-internal.yml
new file mode 100644
index 0000000..fcc9692
--- /dev/null
+++ b/.github/workflows/cla-internal.yml
@@ -0,0 +1,24 @@
+# -----------
+# NOTICE: This workflow is for internal use within the CI repository
+# -----------
+
+name: "CLA Assistant"
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+jobs:
+  CLAAssistant:
+    permissions:
+      actions: write
+      contents: read
+      pull-requests: write
+      statuses: write
+    name: "CLA Assistant"
+    uses: ctfpilot/ci/.github/workflows/cla-assistant.yml@v1.0.0
+    secrets: inherit
+    with:
+      repository: ci
\ No newline at end of file
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
new file mode 100644
index 0000000..3492f8f
--- /dev/null
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,107 @@
+name: Docker build and push
+on:
+  workflow_call:
+    inputs:
+      repository:
+        description: "Allowed repository for workflow to run in. Example `ctfpilot/hello-world`."
+        required: true
+        type: string
+      dockerfile:
+        description: "Dockerfile path."
+        required: false
+        default: "./Dockerfile"
+        type: string
+      context:
+        description: "Build context."
+        required: false
+        default: "."
+        type: string
+      arguments:
+        description: "Build arguments. List of key-value pairs."
+        required: false
+        default: ""
+        type: string
+      semver:
+        description: "Semantic version. Leave empty to not use semantic versioning."
+        required: false
+        default: ""
+        type: string
+      tags:
+        description: "List of tags to apply to the image. Required if you do not use semantic versioning."
+        required: false
+        default: |
+          type=raw,value=${{ github.sha }}
+        type: string
+      registry:
+        description: "Registry for docker image to use. Defaults to GitHub container registry."
+        required: false
+        default: ghcr.io
+        type: string
+      image_name:
+        description: "Docker image name to use. Defaults to repository name."
+        required: false
+        default: ${{ github.repository }}
+        type: string
+      registry_username:
+        description: "Username to use for registry login. Defaults to GitHub actor."
+        required: false
+        type: string
+      registry_token:
+        description: "Token to use for registry login. Defaults to GITHUB_TOKEN."
+        required: false
+        type: string
+      fetch_submodules:
+        description: "Fetch submodules. Defaults to true."
+        required: false
+        default: true
+        type: boolean
+      platforms:
+        description: "Platforms to build for (comma separated, e.g., linux/amd64,linux/arm64)."
+        required: false
+        default: linux/amd64
+        type: string
+      runner:
+        description: "Runner to use for the job. Defaults to ubuntu-latest."
+        required: false
+        default: ubuntu-latest
+        type: string
+      cacheFrom:
+        description: "Cache type from"
+        required: false
+        type: string
+        default: type=gha
+      cacheTo:
+        description: "Cache type to"
+        required: false
+        type: string
+        default: type=gha,mode=max
+      commit:
+        description: "Commit SHA to use for git operations and tagging. Defaults to github.sha."
+        required: false
+        default: ${{ github.sha }}
+        type: string
+
+jobs:
+  docker:
+    uses: the0mikkel/ci/.github/workflows/docker.yml@v1.4.1
+    if: github.repository == inputs.repository
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      dockerfile: ${{ inputs.dockerfile }}
+      context: ${{ inputs.context }}
+      arguments: ${{ inputs.arguments }}
+      semver: ${{ inputs.semver }}
+      tags: ${{ inputs.tags }}
+      registry: ${{ inputs.registry }}
+      image_name: ${{ inputs.image_name }}
+      registry_username: ${{ inputs.registry_username }}
+      registry_token: ${{ inputs.registry_token }}
+      fetch_submodules: ${{ inputs.fetch_submodules }}
+      platforms: ${{ inputs.platforms }}
+      runner: ${{ inputs.runner }}
+      cacheFrom: ${{ inputs.cacheFrom }}
+      cacheTo: ${{ inputs.cacheTo }}
+      commit: ${{ inputs.commit }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index af36240..7850162 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ on:
   workflow_call:
     inputs:
       repository:
-        description: "The repository to release"
+        description: "Allowed repository for workflow to run in. Example `ctfpilot/hello-world`."
         required: true
         type: string
       ENVIRONMENT:
@@ -37,4 +37,4 @@ jobs:
     uses: the0mikkel/ci/.github/workflows/semver-release-standalone.yml@v1.4.1
     secrets: inherit
     with:
-      ENVIRONMENT: ENVIRONMENT
+      ENVIRONMENT: ${{ inputs.ENVIRONMENT }}
diff --git a/README.md b/README.md
index e4575a4..9f8cac2 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 > [!IMPORTANT]
 > This CI repository is meant for internal usage within the CTFPilot organization.
 
-This repository contains Continuous intergration automation, in the forms of Github Action workflows.  
+This repository contains Continuous intergration automation, in the forms of GitHub Action workflows.  
 
 ## How to use
 
@@ -20,7 +20,7 @@ jobs:
     permissions:
       <permissions>
     name: <name>
-    uses: ctfpilot/ci/.github/workflows/<workflow>@<version>
+    uses: ctfpilot/ci/.github/workflows/<workflow>.yml@<version>
     with:
       <inputs>
 ```
@@ -29,16 +29,19 @@ jobs:
 
 - [`cla-assistant`](#cla-assistant): CLA Assistant bot
 - [`release`](#release): Release system
+- [`docker`](#docker): Docker build and push system
 
 ### CLA Assistant
 
-This workflow contains the CLA Assistant bot used througout CTF Pilot.
+This workflow contains the CLA Assistant bot used throughout CTF Pilot.
 
 It is setup to contain sensible defaults, but requires the `repository` input to be specified.
 
+The workflow can only be run within the `ctfpilot` organization.
+
 #### Inputs
 
-- `repository`: The repository that the CLA is generated for
+- `repository`: The repository that the CLA is generated for. Example `hello-world`.
 - `version`: CLA version. Keep default to use organization default.
 - `CLASHA`: The SHA for the commit, the CLA version is. Keep default to use organization default.
 
@@ -65,20 +68,21 @@ jobs:
       pull-requests: write
       statuses: write
     name: "CLA Assistant"
-    uses: ctfpilot/ci/.github/workflows/cla-assistant@<version>
+    uses: ctfpilot/ci/.github/workflows/cla-assistant.yml@<version>
+    secrets: inherit
     with:
       repository: <repository>
 ```
 
 ### Release
 
-This workflow contains the release system used througout CTF Pilot.
+This workflow contains the release system used throughout CTF Pilot.
 
-The wofklow requires the `repository` input to be specified.
+The workflow requires the `repository` input to be specified.
 
 #### Inputs
 
-- `repository`: The repository that the CLA is generated for
+- `repository`: Allowed repository for workflow to run in. Example `ctfpilot/hello-world`.
 - `ENVIRONMENT`: The environment to deploy to.
 
 #### Secrets
@@ -108,7 +112,55 @@ jobs:
       packages: write
       id-token: write
     name: "Release"
-    uses: ctfpilot/ci/.github/workflows/release@<version>
+    uses: ctfpilot/ci/.github/workflows/release.yml@<version>
+    with:
+      repository: <repository>
+```
+
+### Docker
+
+This workflow contains the Docker build and push system used throughout CTF Pilot.
+
+The workflow requires the `repository` input to be specified.
+
+#### Inputs
+
+- `repository`: Allowed repository for workflow to run in. Example `ctfpilot/hello-world`.
+- `dockerfile`: Dockerfile path.
+- `context`: Build context.
+- `arguments`: Build arguments. List of key-value pairs.
+- `semver`: Semantic version. Leave empty to not use semantic versioning.
+- `tags`: List of tags to apply to the image. Required if you do not use semantic versioning.
+- `registry`: Registry for docker image to use. Defaults to GitHub container registry.
+- `image_name`: Docker image name to use. Defaults to repository name.
+- `registry_username`: Username to use for registry login. Defaults to GitHub actor.
+- `registry_token`: Token to use for registry login. Defaults to GITHUB_TOKEN.
+- `fetch_submodules`: Fetch submodules. Defaults to true.
+- `platforms`: Platforms to build for (comma separated, e.g., linux/amd64,linux/arm64).
+- `runner`: Runner to use for the job. Defaults to ubuntu-latest
+- `cacheFrom`: Cache type from
+- `cacheTo`: Cache type to
+- `commit`: Commit SHA to use for git operations and tagging. Defaults to github.sha.
+
+#### How to use
+
+```yml
+name: "Docker build and push"
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+
+jobs:
+  CLAAssistant:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    name: "Docker build and push"
+    uses: ctfpilot/ci/.github/workflows/docker.yml@<version>
     with:
       repository: <repository>
 ```