diff --git a/.github/workflows/dockerize-cli.yaml b/.github/workflows/dockerize-cli.yaml
new file mode 100644
index 000000000..68185d4f8
--- /dev/null
+++ b/.github/workflows/dockerize-cli.yaml
@@ -0,0 +1,74 @@
+on:
+  workflow_call:
+    inputs:
+      registry:
+        default: ghcr.io
+        type: string
+      imageName:
+        default: ${{ github.repository }}
+        type: string
+      cliVersion:
+        required: true
+        type: string
+
+jobs:
+  build-cli-docker-image:
+    name: Build CLI Docker Image
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: write
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: configure eqemu
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: 'linux/arm64,linux/amd64'
+      - name: configure docker buildx
+        uses: docker/setup-buildx-action@v3
+      - name: login to docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Prepare Bake inputs
+        id: docker-bake-inputs
+        run: |
+          targets=$(docker buildx bake -f docker/docker.hcl --print build | jq -r '.group.build.targets[]')
+          input_set=""
+          first=0
+
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+
+          echo "set<<$EOF" >> "$GITHUB_ENV"
+          for target in $targets
+          do
+              echo "$target.cache-from=type=gha,ignore-error=true,scope=$GITHUB_REF-$target" >> "$GITHUB_ENV"
+              echo "$target.cache-to=type=gha,ignore-error=true,mode=max,scope=$GITHUB_REF-$target" >> "$GITHUB_ENV"
+          done
+          echo "$EOF" >> "$GITHUB_ENV"
+
+      - name: build docker images
+        timeout-minutes: 360
+        id: docker-bake
+        uses: docker/bake-action@v5
+        env:
+          DOCKER_REGISTRY: ${{ inputs.registry }}/${{ inputs.imageName }}/
+          COMMIT_SHA: ${{ inputs.cliVersion }}
+          RELEASE: ${{ inputs.cliVersion }}
+          BUILD_TYPE: 'publish'
+          PWD: ${{ github.workspace }}
+        with:
+          # See https://github.com/docker/buildx/issues/1533
+          provenance: false
+          push: true
+          files: docker/docker.hcl
+          targets: cli
+          set: |
+            ${{ steps.docker-bake-inputs.outputs.set }}
diff --git a/.github/workflows/release-alpha.yaml b/.github/workflows/release-alpha.yaml
index d4d55c3eb..86e754c83 100644
--- a/.github/workflows/release-alpha.yaml
+++ b/.github/workflows/release-alpha.yaml
@@ -108,3 +108,30 @@ jobs:
           tar -xzf *.tar.gz
           # Expect the command to succeed
           ./hive/bin/hive --version || exit 1
+
+  extract-cli-version:
+    needs: [npm]
+    runs-on: ubuntu-22.04
+    name: Extract CLI version
+    outputs:
+      published: ${{ steps.cli.outputs.published }}
+      version: ${{ steps.cli.outputs.version }}
+    steps:
+      - name: Extract published version
+        if:
+          needs.npm.outputs.published && contains(needs.npm.outputs.publishedPackages,
+          '"@graphql-hive/cli"')
+        id: cli
+        run: |
+          echo '${{needs.npm.outputs.publishedPackages}}' > cli-ver.json
+          VERSION=`echo $(jq -r '.[] | select(.name | endswith("@graphql-hive/cli")).version' cli-ver.json)`
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "published=true" >> "$GITHUB_OUTPUT"
+
+  publish_docker:
+    needs: [extract-cli-version]
+    uses: ./.github/workflows/dockerize-cli.yaml
+    if: ${{ needs.extract-cli-version.outputs.published == 'true' }}
+    with:
+      cliVersion: ${{ needs.extract-cli-version.outputs.version }}
+    secrets: inherit
diff --git a/.github/workflows/release-stable.yaml b/.github/workflows/release-stable.yaml
index 488a859b8..6e29ae9ed 100644
--- a/.github/workflows/release-stable.yaml
+++ b/.github/workflows/release-stable.yaml
@@ -80,14 +80,9 @@ jobs:
         run: pnpm oclif promote --no-xz --sha ${GITHUB_SHA:0:7} --version $VERSION
 
   publish_docker:
-    needs: publish
-    uses: ./.github/workflows/build-and-dockerize.yaml
-    if: needs.publish.outputs.publish == 'true'
+    needs: [publish]
+    uses: ./.github/workflows/dockerize-cli.yaml
+    if: ${{ needs.publish.outputs.publish == 'true' }}
     with:
-      imageTag: ${{ needs.publish.outputs.version }}
-      publishSourceMaps: false
-      publishLatest: true
-      publishPrComment: false
-      targets: cli
-      uploadJavaScriptArtifacts: false
+      cliVersion: ${{ needs.publish.outputs.version }}
     secrets: inherit
diff --git a/docker/cli.dockerfile b/docker/cli.dockerfile
index 688189eb6..e82984391 100644
--- a/docker/cli.dockerfile
+++ b/docker/cli.dockerfile
@@ -2,13 +2,11 @@ FROM node:22.4.1-slim
 
 RUN apt-get update && apt-get install -y ca-certificates
 
+ARG CLI_VERSION
+
 WORKDIR /usr/src/app
 
-COPY package.json /usr/src/app
-
-RUN npm install --omit=dev
-
-COPY . /usr/src/app/
+RUN npm install --global @graphql-hive/cli@${CLI_VERSION}
 
 LABEL org.opencontainers.image.title=$IMAGE_TITLE
 LABEL org.opencontainers.image.version=$RELEASE
@@ -20,6 +18,6 @@ LABEL org.opencontainers.image.source="https://github.com/kamilkisiela/graphql-h
 
 ENV ENVIRONMENT production
 ENV RELEASE $RELEASE
-RUN npx . --version
+RUN hive --version
 
-ENTRYPOINT ["npx", "."]
+ENTRYPOINT ["hive"]
diff --git a/docker/docker.hcl b/docker/docker.hcl
index b0577ab39..d43cd55c3 100644
--- a/docker/docker.hcl
+++ b/docker/docker.hcl
@@ -405,6 +405,8 @@ target "cli" {
   args = {
     IMAGE_TITLE = "graphql-hive/cli"
     IMAGE_DESCRIPTION = "GraphQL Hive CLI"
+    # note that for CLI we always pass the npm version ! ! !
+    CLI_VERSION = "${COMMIT_SHA}"
   }
   tags = [
     local_image_tag("cli"),