diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml
index b99e6f2..d2370ad 100644
--- a/.github/workflows/docker-publish.yaml
+++ b/.github/workflows/docker-publish.yaml
@@ -9,7 +9,6 @@ on:
 
 permissions:
   contents: read
-  packages: write
 
 jobs:
   build-and-push:
@@ -22,18 +21,28 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
+      # 1) Configure AWS creds (needed for ECR auth)
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          aws-access-key-id: ${{ secrets.TF_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.TF_AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      # 2) Login to Public ECR
+      - name: Login to Amazon ECR Public
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registry-type: public
 
       - name: Compute image tags
         id: vars
         run: |
-          # Lowercase the repo for GHCR
-          IMAGE="ghcr.io/${GITHUB_REPOSITORY,,}"
+          REGISTRY="public.ecr.aws"
+          ALIAS="dlc-link"
+          REPO="cantcost"
+          IMAGE="${REGISTRY}/${ALIAS}/${REPO}"
 
           if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
             TAG_NAME="${GITHUB_REF_NAME}"   # e.g. v1.2.3
diff --git a/README.md b/README.md
index 4d14546..94b05fa 100644
--- a/README.md
+++ b/README.md
@@ -103,7 +103,7 @@ The message is the raw log line from the Canton participant node. You can get it
 
 #### Deploy it
 
-You should change the values in the zarf/deployment/devnet/manifest.yaml file. Note: this is just an example, because the Kubernetes service account needs proper RBAC permissions to read the pod logs.
+You can find pre-built images on [our container registry](https://gallery.ecr.aws/dlc-link/cantcost). You should change the values in the zarf/deployment/devnet/manifest.yaml file. Note: this is just an example, because the Kubernetes service account needs proper RBAC permissions to read the pod logs.
 
 - Change the image location in the `spec.containers.image` field. This can be a predefined one from us or your own build.
 - Change the namespace everywhere for your desired namespace.
diff --git a/zarf/deployment/devnet/manifest.yaml b/zarf/deployment/devnet/manifest.yaml
index ce69101..8dfb83c 100644
--- a/zarf/deployment/devnet/manifest.yaml
+++ b/zarf/deployment/devnet/manifest.yaml
@@ -16,7 +16,7 @@ spec:
       serviceAccountName: cantcost-sa
       containers:
         - name: cantcost
-          image: ghcr.io/dlc-link/cantcost:version
+          image: public.ecr.aws/dlc-link/cantcost:version
           imagePullPolicy: IfNotPresent
           env:
             # Deployment whose pods' logs you want to read