diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 7e7be9a..78c87cb 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -59,7 +59,7 @@ jobs:
         with:
           tag: v${{ steps.tag.outputs.version }}
 
-  container:
+  publish:
     name: Publish Container Image
     runs-on: ubuntu-latest
 
@@ -73,75 +73,61 @@ jobs:
           fetch-tags: true
           ref: main
 
-      - name: Build, Scan, and Publish Container Image
-        id: build-scan-publish
-        uses: usps/fast-track-container-image-action@v1.0.0
+      # Create the list of image tags that will be published. If a prerelease is
+      # being published (e.g. `1.2.3-alpha.4`), only the prerelease tag will be
+      # published (`v1.2.3-alpha.4`). Otherwise, the following tags will be
+      # published:
+      # - `latest`
+      # - `v1.2.3`
+      # - `v1.2`
+      # - `v1`
+      - name: Set Image Tags
+        id: tags
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const version = '${{ needs.release.outputs.version }}'
+
+            // Check if prerelease (e.g. 1.2.3-alpha.4)
+            if (version.includes('-')) {
+              // Only output the prerelease tag
+              core.setOutput('tags', `type=raw,value=v${version}`)
+            } else {
+              // Output all the tags
+              let tags = [
+                'type=raw,value=latest',
+                `type=raw,value=v${version}`,
+                `type=raw,value=v${version.split('.').slice(0, 2).join('.')}`,
+                `type=raw,value=v${version.split('.')[0]}`
+              ]
+              core.setOutput('tags', tags.join('\n'))
+            }
+
+      # Get metadata to apply to image
+      - name: Extract Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}
+          tags: ${{ steps.tags.outputs.tags }}
+
+      # Authenticate to the container registry
+      - name: Authenticate to Container Registry
+        id: login
+        uses: docker/login-action@v3
         with:
-          # Container registry details
           registry: ${{ env.CONTAINER_REGISTRY }}
           username: ${{ env.CONTAINER_REGISTRY_USERNAME }}
           password: ${{ env.CONTAINER_REGISTRY_PASSWORD }}
 
-          # Other inputs
-          checkout: true
-          manifest-path: ${{ env.MANIFEST_PATH }}
-          version: ${{ needs.release.outputs.version }}
-
-    # Create the list of image tags that will be published. If a prerelease is
-    # being published (e.g. `1.2.3-alpha.4`), only the prerelease tag will be
-    # published (`v1.2.3-alpha.4`). Otherwise, the following tags will be
-    # published:
-    # - `latest`
-    # - `v1.2.3`
-    # - `v1.2`
-    # - `v1`
-    - name: Set Image Tags
-      id: tags
-      uses: actions/github-script@v7
-      with:
-        script: |
-          const version = '${{ needs.release.outputs.version }}'
-
-          // Check if prerelease (e.g. 1.2.3-alpha.4)
-          if (version.includes('-')) {
-            // Only output the prerelease tag
-            core.setOutput('tags', `type=raw,value=v${version}`)
-          } else {
-            // Output all the tags
-            let tags = [
-              'type=raw,value=latest',
-              `type=raw,value=v${version}`,
-              `type=raw,value=v${version.split('.').slice(0, 2).join('.')}`,
-              `type=raw,value=v${version.split('.')[0]}`
-            ]
-            core.setOutput('tags', tags.join('\n'))
-          }
-
-    # Get metadata to apply to image
-    - name: Extract Metadata
-      id: meta
-      uses: docker/metadata-action@v5
-      with:
-        images: ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}
-        tags: ${{ steps.tags.outputs.tags }}
-
-    # Authenticate to the container registry
-    - name: Authenticate to Container Registry
-      id: login
-      uses: docker/login-action@v3
-      with:
-        registry: ${{ env.CONTAINER_REGISTRY }}
-        username: ${{ env.CONTAINER_REGISTRY_USERNAME }}
-        password: ${{ env.CONTAINER_REGISTRY_PASSWORD }}
-
-    # Publish the container image
-    - name: Publish Container Image
-      id: publish
-      uses: docker/build-push-action@v5
-      env:
-        LABELS: ${{ steps.meta.outputs.labels }}
-        TAGS: ${{ steps.meta.outputs.tags }}
-      with:
-        labels: ${{ env.LABELS }}
-        push: true
-        tags: ${{ env.TAGS }}
+      # Publish the container image
+      - name: Publish Container Image
+        id: publish
+        uses: docker/build-push-action@v5
+        env:
+          LABELS: ${{ steps.meta.outputs.labels }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        with:
+          labels: ${{ env.LABELS }}
+          push: true
+          tags: ${{ env.TAGS }}
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
new file mode 100644
index 0000000..ca73565
--- /dev/null
+++ b/.github/workflows/version-check.yml
@@ -0,0 +1,39 @@
+# This workflow checks the version of the container image that is being built
+# in the current pull request. If the version has already been published, the
+# workflow fails to prevent PRs from being merged until the version has been
+# incremented in the manifest file.
+name: Version Check
+
+on:
+  pull_request:
+    branches:
+      - main
+
+env:
+  MANIFEST_PATH: .version
+
+permissions:
+  checks: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  check-version:
+    name: Version Check
+    runs-on: ubuntu-latest
+
+    if: ${{ github.actor != 'dependabot[bot]' }}
+
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+
+      - name: Check Version
+        id: check-version
+        uses: issue-ops/semver@v0.3.2
+        with:
+          check-only: true
+          manifest-path: ${{ env.MANIFEST_PATH }}
diff --git a/Dockerfile b/Dockerfile
index 6b92e63..c4a4906 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Set the base image to use for subsequent instructions
-FROM alpine:3.18
+FROM alpine:3.19
 
 # Set the working directory inside the container
 WORKDIR /usr/src
diff --git a/README.md b/README.md
index 9e5567f..87f6bcb 100644
--- a/README.md
+++ b/README.md
@@ -180,6 +180,20 @@ For information about versioning your action, see
 [Versioning](https://github.com/actions/toolkit/blob/master/docs/action-versioning.md)
 in the GitHub Actions toolkit.
 
+## Releasing Versions
+
+By default, the [`cd.yml` workflow](./.github/workflows/cd.yml) in this
+repository is configured to release a new version of the action any time a pull
+request is merged into the default branch (`main`). In order to prevent existing
+versions from being overwritten, the
+[`version-check.yml` workflow](./.github/workflows/version-check.yml) can be
+used as a
+[required status check](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging)
+in your branch protection rules.
+
+As part of the pull request, make sure to update the
+[`.version` file](./.version) to a new [Semantic Version](https://semver.org/).
+
 ## Usage
 
 After testing, you can create version tag(s) that developers can use to