diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 646ca0db..197f0c3e 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -64,3 +64,12 @@ jobs:
       - name: Release
         if: contains(steps.check_versions.outputs.is_new_version, 'true')
         run: ./ctl.sh release
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: tombh
+          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+      - name: Docker Release
+        run: ./ctl.sh docker_release
+      - name: Update Browsh Website
+        run: ./ctl.sh update_browsh_website_with_new_version
diff --git a/Dockerfile b/Dockerfile
index 0c500882..7199d26e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM bitnami/minideb:stretch as build
+FROM bitnami/minideb:bullseye as build
 
 RUN install_packages \
       curl \
@@ -13,68 +13,76 @@ RUN install_packages \
       libssl-dev \
       pkg-config \
       libprotobuf-dev \
-      make
+      make \
+      bzip2
+
+# Helper scripts
+RUN mkdir /build
+WORKDIR /build
+ADD .git .git
+ADD .github .github
+ADD scripts scripts
+ADD ctl.sh .
 
 # Install Golang
 ENV GOROOT=/go
 ENV GOPATH=/go-home
 ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH
-RUN curl -L -o go.tar.gz https://dl.google.com/go/go1.9.2.linux-amd64.tar.gz
-RUN mkdir -p $GOPATH/bin
-RUN tar -C / -xzf go.tar.gz
+RUN /build/ctl.sh install_golang
+
+# Install firefox
+RUN /build/ctl.sh install_firefox
 
+# Build Browsh
 ENV BASE=$GOPATH/src/browsh/interfacer
 WORKDIR $BASE
 ADD interfacer $BASE
-
-# Build Browsh
-RUN $BASE/contrib/build_browsh.sh
+RUN /build/ctl.sh build_browsh_binary $BASE
 
 
 ###########################
 # Actual final Docker image
 ###########################
-FROM bitnami/minideb:stretch
+FROM bitnami/minideb:bullseye
 
 ENV HOME=/app
-WORKDIR /app
+WORKDIR $HOME
 
-COPY --from=build /go-home/src/browsh/interfacer/browsh /app/browsh
+COPY --from=build /go-home/src/browsh/interfacer/browsh /app/bin/browsh
+COPY --from=build /tmp/firefox /app/bin/firefox
 
 RUN install_packages \
       xvfb \
       libgtk-3-0 \
       curl \
       ca-certificates \
-      bzip2 \
       libdbus-glib-1-2 \
-      procps
+      procps \
+      libasound2 \
+      libxtst6
 
 # Block ads, etc. This includes porn just because this image is also used on the
 # public SSH demo: `ssh brow.sh`.
-RUN curl -o /etc/hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn-social/hosts
+RUN curl \
+  -o /etc/hosts \
+  https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn-social/hosts
 
 # Don't use root
 RUN useradd -m user --home /app
 RUN chown user:user /app
 USER user
 
-# Setup Firefox
-ENV PATH="${HOME}/bin/firefox:${PATH}"
-ADD .travis.yml .
-ADD interfacer/contrib/setup_firefox.sh .
-RUN ./setup_firefox.sh
-RUN rm setup_firefox.sh && rm .travis.yml
+ENV PATH="${HOME}/bin:${HOME}/bin/firefox:${PATH}"
 
 # Firefox behaves quite differently to normal on its first run, so by getting
 # that over and done with here when there's no user to be dissapointed means
 # that all future runs will be consistent.
 RUN TERM=xterm script \
   --return \
-  -c "/app/browsh" \
+  -c "/app/bin/browsh" \
   /dev/null \
   >/dev/null & \
   sleep 10
 
-CMD ["/app/browsh"]
+CMD ["/app/bin/browsh"]
 
diff --git a/scripts/docker.bash b/scripts/docker.bash
new file mode 100644
index 00000000..8d758a1c
--- /dev/null
+++ b/scripts/docker.bash
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+function docker_image_name() {
+	echo browsh/browsh:v"$BROWSH_VERSION"
+}
+
+function docker_build() {
+	local og_xpi && og_xpi=$(versioned_xpi_file)
+	[ ! -f "$og_xpi" ] && _panic "Can't find latest webextension build: $og_xpi"
+	[ ! -f "$XPI_PATH" ] && _panic "Can't find bundleable browsh.xpi: $XPI_PATH"
+	if [ "$(_md5 "$og_xpi")" != "$(_md5 "$XPI_PATH")" ]; then
+		_panic "XPI file's MD5 does not match original XPI file's MD5"
+	fi
+	docker build -t "$(docker_image_name)" .
+}
+
+function is_docker_logged_in() {
+	docker system info | grep -E 'Username|Registry'
+}
+
+function docker_login() {
+	docker login docker.io \
+		-u tombh \
+		-p "$DOCKER_ACCESS_TOKEN"
+}
+
+function docker_release() {
+	! is_docker_logged_in && try_docker_login
+	docker_build
+	docker push "$(docker_image_name)"
+}
diff --git a/scripts/misc.bash b/scripts/misc.bash
index 3e82619d..79323293 100644
--- a/scripts/misc.bash
+++ b/scripts/misc.bash
@@ -1,4 +1,4 @@
-#!/bin/env bash
+#!/usr/bin/env bash
 
 function golang_lint_check() {
 	pushd "$PROJECT_ROOT"/interfacer || _panic
@@ -15,3 +15,55 @@ function prettier_fix() {
 	prettier --write '{src,test}/**/*.js'
 	popd || _panic
 }
+
+function parse_firefox_version_from_ci_config() {
+	local line && line=$(grep 'firefox-version:' <"$PROJECT_ROOT"/.github/workflows/main.yml)
+	local version && version=$(echo "$line" | tr -s ' ' | cut -d ' ' -f 3)
+	[ "$version" = "" ] && _panic "Couldn't parse Firefox version"
+	echo -n "$version"
+}
+
+function install_firefox() {
+	local version && version=$(parse_firefox_version_from_ci_config)
+	local destination=/tmp
+	echo "Installing Firefox v$version to $destination..."
+	mkdir -p "$destination"
+	pushd "$destination" || _panic
+	curl -L -o firefox.tar.bz2 \
+		"https://ftp.mozilla.org/pub/firefox/releases/$version/linux-x86_64/en-US/firefox-$version.tar.bz2"
+	bzip2 -d firefox.tar.bz2
+	tar xf firefox.tar
+	popd || _panic
+}
+
+function parse_golang_version_from_ci_config() {
+	local line && line=$(grep 'go-version:' <"$PROJECT_ROOT"/.github/workflows/main.yml)
+	local version && version=$(echo "$line" | tr -s ' ' | cut -d ' ' -f 3)
+	[ "$version" = "" ] && _panic "Couldn't parse Golang version"
+	echo -n "$version"
+}
+
+function install_golang() {
+	local version && version=$(parse_golang_version_from_ci_config)
+	[ "$GOPATH" = "" ] && _panic "GOPATH not set"
+	[ "$GOROOT" = "" ] && _panic "GOROOT not set"
+	echo "Installing Golang v$version... to $GOROOT"
+	curl -L \
+		-o go.tar.gz \
+		https://dl.google.com/go/go"$version".linux-amd64.tar.gz
+	mkdir -p "$GOPATH"/bin
+	mkdir -p "$GOROOT"
+	tar -C "$GOROOT/.." -xzf go.tar.gz
+	go version
+}
+
+function build_browsh_binary() {
+	local path=$1
+	pushd "$path" || _panic
+	local webextension="src/browsh/browsh.xpi"
+	[ ! -f "$webextension" ] && _panic "browsh.xpi not present"
+	md5sum "$webextension"
+	go build ./cmd/browsh
+	./browsh --version
+	popd || _panic
+}