diff --git a/.woodpecker/build.yaml b/.woodpecker/build.yaml
index 04a8cbc..073dfde 100644
--- a/.woodpecker/build.yaml
+++ b/.woodpecker/build.yaml
@@ -1,51 +1,22 @@
-# Build and Publish Docker image
+# Build and Publish Docker image (runs on push to main - deploy manually)
 # Secrets required in Woodpecker: gitea_registry_username, gitea_package_token, discord_webhook_url
+# Project must be set to "Trusted" in Woodpecker for the Docker build step (privileged).
 when:
   branch: main
   event: push
 
 steps:
-  - name: Docker image build
-    image: docker:latest
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    commands:
-      - set -e
-      - echo "=== Building Docker image ==="
-      - 'echo "Commit SHA: ${CI_COMMIT_SHA:0:8}"'
-      - |
-        docker build \
-          --tag git.mifi.dev/mifi-holdings/mail-autoconfig:${CI_COMMIT_SHA} \
-          --tag git.mifi.dev/mifi-holdings/mail-autoconfig:latest \
-          --label "git.commit=${CI_COMMIT_SHA}" \
-          --label "git.branch=${CI_COMMIT_BRANCH}" \
-          .
-
-  - name: Push to registry
-    image: docker:latest
-    environment:
-      REGISTRY_URL: git.mifi.dev
-      REGISTRY_REPO: git.mifi.dev/mifi-holdings/mail-autoconfig
-      REGISTRY_USERNAME:
+  - name: Build and Publish Docker Image
+    image: woodpeckerci/plugin-docker-buildx:latest
+    privileged: true
+    settings:
+      repo: git.mifi.dev/mifi-holdings/mail-autoconfig
+      registry: git.mifi.dev
+      auto_tag: true
+      username:
         from_secret: gitea_registry_username
-      REGISTRY_PASSWORD:
+      password:
         from_secret: gitea_package_token
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    depends_on:
-      - Docker image build
-    commands:
-      - set -e
-      - echo "=== Pushing to registry ==="
-      - |
-        if [ -z "$REGISTRY_USERNAME" ] || [ -z "$REGISTRY_PASSWORD" ]; then
-          echo "ERROR: REGISTRY_USERNAME or REGISTRY_PASSWORD is empty - check secret names match Woodpecker (gitea_registry_username, gitea_package_token)"
-          exit 1
-        fi
-      - echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin
-      - docker push $REGISTRY_REPO:${CI_COMMIT_SHA}
-      - docker push $REGISTRY_REPO:latest
-      - echo "✓ Images pushed successfully"
 
   - name: Send Deploy Status Notification
     image: curlimages/curl