diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 55ba470..23b1bb7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,6 +2,7 @@ stages:
   - build
   - test
   - security
+  - tag
   - deploy
 
 variables:
@@ -102,15 +103,22 @@ cache:
       when: never
 
 .webhook-template: &webhook-config
-  stage: deploy
   image: curlimages/curl:latest
   script:
     - |
-      curl -s -X POST \
+      response=$(curl -s -w "\n%{http_code}" -X POST \
         -H "Content-Type: application/json" \
         -H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \
         -H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \
-        "$WEBHOOK_URL"
+        "$WEBHOOK_URL")
+
+      body=$(echo "$response" | sed '$d')
+      status=$(echo "$response" | tail -n1)
+
+      echo "$body"
+
+      [ $? -ne 0 ] && echo "curl failed" && exit 1
+      [ "$status" -lt 200 ] || [ "$status" -ge 300 ] && echo "HTTP $status" && exit 1
   rules:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
       when: on_success
@@ -125,8 +133,6 @@ cache:
     - |
       docker buildx create --use
       docker buildx build . \
-        -t $IMAGE_NAME:latest \
-        -t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \
         -t $IMAGE_NAME:$CI_COMMIT_SHA \
         -f $CONTAINERFILE --target $BUILDTARGET --push \
         --cache-from type=registry,ref=$IMAGE_NAME-cache \
@@ -141,6 +147,42 @@ cache:
       when: manual
       allow_failure: true
 
+.tag-template: &tag-config
+  <<: *docker-job
+  stage: tag
+  script:
+    - |
+      set -euo pipefail
+      SOURCE_IMAGE="$IMAGE_NAME:$CI_COMMIT_SHA"
+      docker pull "$SOURCE_IMAGE"
+      DANGEROUS_TAGS=""
+      if [ -n "$CI_COMMIT_TAG" ]; then
+        DANGEROUS_TAGS="$DANGEROUS_TAGS $CI_COMMIT_TAG"
+      fi
+      if [ -n "$CI_COMMIT_BRANCH" ]; then
+        if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
+          DANGEROUS_TAGS="$DANGEROUS_TAGS latest $CI_COMMIT_REF_SLUG"
+        else
+          DANGEROUS_TAGS="$DANGEROUS_TAGS $CI_COMMIT_REF_SLUG"
+        fi
+      fi
+      if [ -z "$DANGEROUS_TAGS" ]; then
+        echo "No tags to publish."
+        exit 0
+      fi
+      for TAG in $DANGEROUS_TAGS; do
+        [ -z "$TAG" ] && continue
+        TARGET_IMAGE="$IMAGE_NAME:$TAG"
+        docker tag "$SOURCE_IMAGE" "$TARGET_IMAGE"
+        docker push "$TARGET_IMAGE"
+      done
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      when: manual
+      allow_failure: true
+
 .uv-job: &uv-job
   image: debian:trixie-slim
   cache:
@@ -156,33 +198,6 @@ cache:
     - curl -LsSf https://astral.sh/uv/install.sh | sh
     - export PATH="$HOME/.local/bin:$PATH"
 
-sast-filesystem:
-  <<: *trivy-fs-scan
-
-sast-image-runtime:
-  <<: *trivy-image-scan
-  variables:
-    IMAGE_NAME: $BASE_IMAGE_NAME/backend
-    IMAGE_TYPE: runtime
-  dependencies:
-    - build-runtime
-
-sast-image-tests:
-  <<: *trivy-image-scan
-  variables:
-    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
-    IMAGE_TYPE: tests
-  dependencies:
-    - build-tests
-
-sast-image-migrations:
-  <<: *trivy-image-scan
-  variables:
-    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
-    IMAGE_TYPE: migrations
-  dependencies:
-    - build-migrations
-
 build-runtime:
   <<: *build-config
   variables:
@@ -236,7 +251,7 @@ test:
       ) | tee -a compose.log &
     - LOGS_PID=$!
     - |
-      REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \
+      REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \
       docker compose -f compose.yaml -f compose.prod.yaml \
       $PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log
     - |
@@ -272,8 +287,51 @@ test:
     - build-tests
     - build-migrations
 
+sast-filesystem:
+  <<: *trivy-fs-scan
+
+sast-image-runtime:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend
+    IMAGE_TYPE: runtime
+  dependencies:
+    - build-runtime
+
+sast-image-tests:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
+    IMAGE_TYPE: tests
+  dependencies:
+    - build-tests
+
+sast-image-migrations:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
+    IMAGE_TYPE: migrations
+  dependencies:
+    - build-migrations
+
+tag-runtime:
+  <<: *tag-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend
+
+tag-tests:
+  <<: *tag-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
+
+tag-migrations:
+  <<: *tag-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
+
 webhook-migrations-deploy:
   <<: *webhook-config
+  stage: deploy
   variables:
     WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS
   resource_group: staging
@@ -283,6 +341,7 @@ webhook-migrations-deploy:
 
 webhook-backend-deploy:
   <<: *webhook-config
+  stage: deploy
   variables:
     WEBHOOK_URL: $WEBHOOK_URL_BACKEND
   environment:
diff --git a/compose.prod.yaml b/compose.prod.yaml
index c4ec125..f53322a 100644
--- a/compose.prod.yaml
+++ b/compose.prod.yaml
@@ -1,9 +1,9 @@
 services:
   backend:
-    image: "${REGISTRY_PREFIX}/backend"
+    image: "${REGISTRY_PREFIX}/backend:${IMAGE_TAG}"
 
   tests:
-    image: "${REGISTRY_PREFIX}/backend-tests"
+    image: "${REGISTRY_PREFIX}/backend-tests:${IMAGE_TAG}"
 
   migrations:
-    image: "${REGISTRY_PREFIX}/backend-migrations"
+    image: "${REGISTRY_PREFIX}/backend-migrations:${IMAGE_TAG}"