diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index 5012e418..586719bc 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -29,7 +29,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.25.5
+          go-version: 1.25.6
       - name: Run prepare make target
         run: make generate
       - name: Run golangci-lint
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 48ea11e9..b5f45fcf 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -32,7 +32,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.25.5
+          go-version: 1.25.6
       - name: Run prepare make target
         run: make generate
       - name: Build all binaries
@@ -67,7 +67,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.25.5
+          go-version: 1.25.6
       - name: Run prepare make target
         run: make generate
       - name: Run tests and generate coverage report
diff --git a/.github/workflows/container-registry-ghcr.yaml b/.github/workflows/container-registry-ghcr.yaml
new file mode 100644
index 00000000..c7bdaef4
--- /dev/null
+++ b/.github/workflows/container-registry-ghcr.yaml
@@ -0,0 +1,58 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company
+# SPDX-License-Identifier: Apache-2.0
+
+name: Container Registry GHCR
+"on":
+  push:
+    branches:
+      - main
+  workflow_dispatch: {}
+permissions:
+  contents: read
+  packages: write
+jobs:
+  build-and-push-image:
+    name: Push container to ghcr.io
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            # https://github.com/docker/metadata-action#typeedge
+            type=edge
+            # https://github.com/docker/metadata-action#latest-tag
+            type=raw,value=latest,enable={{is_default_branch}}
+            # https://github.com/docker/metadata-action#typesemver
+            type=semver,pattern={{raw}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+            # https://github.com/docker/metadata-action#typesha
+            type=sha,format=long
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
index 4a8f36ca..043be600 100644
--- a/.github/workflows/goreleaser.yaml
+++ b/.github/workflows/goreleaser.yaml
@@ -27,7 +27,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.25.5
+          go-version: 1.25.6
       - name: Run prepare make target
         run: make generate
       - name: Install syft
diff --git a/Makefile b/Makefile
index a645e535..915afd2a 100644
--- a/Makefile
+++ b/Makefile
@@ -249,7 +249,7 @@ generate: install-controller-gen
 	@printf "\e[1;36m>> controller-gen\e[0m\n"
 	@controller-gen crd rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	@controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
-	@controller-gen applyconfiguration paths="./..."
+	@controller-gen applyconfiguration:headerFile="hack/boilerplate.go.txt" paths="./..."
 
 run-golangci-lint: FORCE install-golangci-lint
 	@printf "\e[1;36m>> golangci-lint\e[0m\n"
@@ -293,9 +293,9 @@ tidy-deps: FORCE
 
 license-headers: FORCE install-addlicense
 	@printf "\e[1;36m>> addlicense (for license headers on source code files)\e[0m\n"
-	@printf "%s\0" $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...)) | $(XARGS) -0 -I{} bash -c 'year="$$(grep 'Copyright' {} | head -n1 | grep -E -o '"'"'[0-9]{4}(-[0-9]{4})?'"'"')"; if [[ -z "$$year" ]]; then year=$$(date +%Y); fi; gawk -i inplace '"'"'{if (display) {print} else {!/^\/\*/ && !/^\*/}}; {if (!display && $$0 ~ /^(package |$$)/) {display=1} else { }}'"'"' {}; addlicense -c "SAP SE or an SAP affiliate company" -s=only -y "$$year" -- {}; $(SED) -i '"'"'1s+// Copyright +// SPDX-FileCopyrightText: +'"'"' {}; '
+	@printf "%s\0" $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...)) | $(XARGS) -0 -I{} bash -c 'year="$$(grep 'Copyright' {} | head -n1 | grep -E -o '"'"'[0-9]{4}(-[0-9]{4})?'"'"')"; if [[ -z "$$year" ]]; then year=$$(date +%Y); fi; gawk -i inplace '"'"'{if (display) {print} else {!/^\/\*/ && !/^\*/}}; {if (!display && $$0 ~ /^(package |$$)/) {display=1} else { }}'"'"' {}; addlicense -c "SAP SE or an SAP affiliate company and IronCore contributors" -s=only -y "$$year" -- {}; $(SED) -i '"'"'1s+// Copyright +// SPDX-FileCopyrightText: +'"'"' {}; '
 	@printf "\e[1;36m>> reuse annotate (for license headers on other files)\e[0m\n"
-	@reuse lint -j | jq -r '.non_compliant.missing_licensing_info[]' | grep -vw vendor | $(XARGS) reuse annotate -c 'SAP SE or an SAP affiliate company' -l Apache-2.0 --skip-unrecognised
+	@reuse lint -j | jq -r '.non_compliant.missing_licensing_info[]' | grep -vw vendor | $(XARGS) reuse annotate -c 'SAP SE or an SAP affiliate company and IronCore contributors' -l Apache-2.0 --skip-unrecognised
 	@printf "\e[1;36m>> reuse download --all\e[0m\n"
 	@reuse download --all
 	@printf "\e[1;35mPlease review the changes. If *.license files were generated, consider instructing go-makefile-maker to add overrides to REUSE.toml instead.\e[0m\n"
diff --git a/Makefile.maker.yaml b/Makefile.maker.yaml
index 080e50e2..15217986 100644
--- a/Makefile.maker.yaml
+++ b/Makefile.maker.yaml
@@ -12,12 +12,14 @@ controllerGen:
   enabled: true
   crdOutputPath: config/crd/bases
   objectHeaderFile: hack/boilerplate.go.txt
+  applyconfigurationHeaderFile: hack/boilerplate.go.txt
   rbacRoleName: manager-role
 
 coverageTest:
   only: "/internal"
 
 dockerfile:
+  # Custom Dockerfile using Distroless base image
   enabled: false
 
 golang:
@@ -32,7 +34,14 @@ golangciLint:
 goReleaser:
   createConfig: true
 
+license:
+  addHeaders: true
+  checkDependencies: true
+  copyright: 'SAP SE or an SAP affiliate company and IronCore contributors'
+  spdx: Apache-2.0
+
 reuse:
+  # Custom REUSE.toml with minimal settings
   enabled: false
 
 renovate:
@@ -55,6 +64,14 @@ githubWorkflow:
     enabled: true
   securityChecks:
     enabled: true
+  pushContainerToGhcr:
+    enabled: true
+    platforms: "linux/amd64,linux/arm64"
+    tagStrategy:
+      - edge
+      - latest
+      - semver
+      - sha
 
 variables:
   GO_BUILDENV: 'CGO_ENABLED=0'