diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index c8c6023..f8c75e4 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -105,3 +105,58 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           cache-from: type=gha,scope=${{ matrix.name }}
           cache-to: type=gha,mode=max,scope=${{ matrix.name }}
+
+  build-job-service:
+    name: Build knative-job-service
+    runs-on: ubuntu-latest
+
+    env:
+      REGISTRY: ghcr.io
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Generate workspace packages
+        run: |
+          node --experimental-strip-types scripts/generate.ts
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Log in to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v4
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/knative-job-service
+          tags: |
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+            type=sha,format=short,prefix=
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: job/service/Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha,scope=knative-job-service
+          cache-to: type=gha,mode=max,scope=knative-job-service
diff --git a/job/service/Dockerfile b/job/service/Dockerfile
new file mode 100644
index 0000000..df27b26
--- /dev/null
+++ b/job/service/Dockerfile
@@ -0,0 +1,20 @@
+FROM node:22-alpine AS build
+RUN npm install -g pnpm@10.12.2
+WORKDIR /app
+COPY . .
+RUN node --experimental-strip-types scripts/generate.ts \
+    && pnpm install --frozen-lockfile \
+    && pnpm --filter @constructive-io/knative-job-service... build
+
+FROM node:22-alpine AS deploy
+RUN npm install -g pnpm@10.12.2
+COPY --from=build /app /app
+WORKDIR /app
+RUN pnpm --filter @constructive-io/knative-job-service deploy --legacy /deploy --prod
+
+FROM node:22-alpine
+WORKDIR /app
+COPY --from=deploy /deploy .
+ENV NODE_ENV=production
+EXPOSE 8080
+CMD ["node", "dist/run.js"]
diff --git a/k8s/base/constructive/knative-job-service.yaml b/k8s/base/constructive/knative-job-service.yaml
index 3cf2fb4..cf0fcbe 100644
--- a/k8s/base/constructive/knative-job-service.yaml
+++ b/k8s/base/constructive/knative-job-service.yaml
@@ -22,12 +22,13 @@ spec:
     spec:
       containers:
         - name: knative-job-service
-          image: ghcr.io/constructive-io/constructive:e0b55cc
+          # Pin to a short SHA at deploy time (e.g. ghcr.io/constructive-io/knative-job-service:abc1234).
+          # Built by .github/workflows/docker.yaml from job/service/Dockerfile.
+          image: ghcr.io/constructive-io/knative-job-service:latest
           imagePullPolicy: Always
 
-          # Run the knative job service entrypoint from the root image
           command: ["node"]
-          args: ["jobs/knative-job-service/dist/run.js"]
+          args: ["dist/run.js"]
 
           envFrom:
             - configMapRef: