diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 0a0cbe4..c699c22 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -57,10 +57,12 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=sha,format=long
+            type=sha,format=long,enable=${{ github.ref_type != 'tag' }}
             type=ref,event=branch
             type=ref,event=pr
-          flavor: latest=true
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable={{is_default_branch}}
+          flavor: latest=false
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
@@ -69,7 +71,7 @@ jobs:
         uses: docker/build-push-action@v2
         with:
           context: .
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event.base_ref =='refs/heads/master' && github.ref_type == 'tag' && !startsWith(github.ref, 'refs/tags/v0.')}}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
@@ -84,4 +86,11 @@ jobs:
           COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:master@${{ steps.build-and-push.outputs.digest }}
+        run: |
+          tags=(
+            ${{ steps.meta.outputs.tags }}
+          )
+
+          for tag in ${tags[@]} ; do
+            cosign sign $tag@${{ steps.build-and-push.outputs.digest }}
+          done
\ No newline at end of file