diff --git a/.github/workflows/console.yml b/.github/workflows/console.yml
index a6fb0e2d54..04bdcb2227 100644
--- a/.github/workflows/console.yml
+++ b/.github/workflows/console.yml
@@ -50,7 +50,7 @@ jobs:
           cache-dependency-path: pnpm-lock.yaml
       - if: ${{ steps.cache.outputs.cache-hit != 'true' }}
         name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
       - if: ${{ steps.cache.outputs.cache-hit != 'true' }}
         name: Build console with Turbo
         run: pnpm turbo build --filter=./console
diff --git a/.github/workflows/login-container.yml b/.github/workflows/login-container.yml
index 25f338fb50..6910bca074 100644
--- a/.github/workflows/login-container.yml
+++ b/.github/workflows/login-container.yml
@@ -62,7 +62,6 @@ jobs:
           provenance: true
           sbom: true
           targets: login-standalone
-          set: login-*.context=./apps/login/
           project: w47wkxzdtw
           files: |
             ./apps/login/docker-bake.hcl
diff --git a/.github/workflows/login-quality.yml b/.github/workflows/login-quality.yml
deleted file mode 100644
index c08c261125..0000000000
--- a/.github/workflows/login-quality.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-name: Login Quality
-
-on:
-  workflow_call:
-    inputs:
-      ignore-run-cache:
-        description: "Ignore run caches"
-        type: boolean
-        required: true
-      node_version:
-        required: true
-        type: string
-    secrets:
-      DEPOT_TOKEN:
-        required: true
-
-jobs:
-  quality:
-    name: Ensure Quality
-    runs-on: depot-ubuntu-22.04-8
-    timeout-minutes: 30
-    permissions:
-      actions: write
-    env:
-      CACHE_DIR: /tmp/login-run-caches
-    steps:
-      - uses: actions/checkout@v4
-      - uses: depot/setup-action@v1
-      - name: Restore Run Caches
-        uses: actions/cache/restore@v4
-        id: run-caches-restore
-        with:
-          path: ${{ env.CACHE_DIR }}
-          key: ${{ runner.os }}-login-run-caches-${{github.ref_name}}-${{ github.sha }}-${{github.run_attempt}}
-          restore-keys: |
-            ${{ runner.os }}-login-run-caches-${{github.ref_name}}-${{ github.sha }}-
-            ${{ runner.os }}-login-run-caches-${{github.ref_name}}-
-            ${{ runner.os }}-login-run-caches-
-      - uses: actions/download-artifact@v4
-        with:
-          path: .artifacts
-          name: zitadel-linux-amd64
-      - name: Unpack executable
-        run: |
-          tar -xvf .artifacts/zitadel-linux-amd64.tar.gz
-          mv zitadel-linux-amd64/zitadel ./zitadel
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ inputs.node_version }}
-          cache: "pnpm"
-          cache-dependency-path: pnpm-lock.yaml
-      - name: Install dependencies
-        run: pnpm install
-      - name: Run login quality checks with Turbo
-        run: pnpm turbo test:unit
-        env:
-          DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}
-          LOGIN_BAKE_CLI: depot bake
-          DEPOT_PROJECT_ID: w47wkxzdtw
-          IGNORE_RUN_CACHE: ${{ github.event.inputs.ignore-run-cache }}
-          NODE_VERSION: ${{ inputs.node_version }}
-
-      - name: Save Run Caches
-        uses: actions/cache/save@v4
-        with:
-          path: ${{ env.CACHE_DIR }}
-          key: ${{ steps.run-caches-restore.outputs.cache-primary-key }}
-        if: always()
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1b532d17c0..bfbc3d6934 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -184,7 +184,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: login
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Create Release Pull Request
         uses: changesets/action@v1
diff --git a/Makefile b/Makefile
index a7314f638a..8dc62938fa 100644
--- a/Makefile
+++ b/Makefile
@@ -97,7 +97,7 @@ console_move:
 
 .PHONY: console_dependencies
 console_dependencies:
-	pnpm install
+	pnpm install --frozen-lockfile
 
 .PHONY: console_client
 console_client:
diff --git a/apps/login/docker-bake-release.hcl b/apps/login/docker-bake-release.hcl
new file mode 100644
index 0000000000..51e1c194f6
--- /dev/null
+++ b/apps/login/docker-bake-release.hcl
@@ -0,0 +1,3 @@
+target "release" {
+  platforms = ["linux/amd64", "linux/arm64"]
+}
diff --git a/apps/login/docker-bake.hcl b/apps/login/docker-bake.hcl
new file mode 100644
index 0000000000..f68bc80093
--- /dev/null
+++ b/apps/login/docker-bake.hcl
@@ -0,0 +1,17 @@
+# The release target is overwritten in docker-bake-release.hcl
+# It makes sure the image is built for multiple platforms.
+# By default the platforms property is empty, so images are only built for the current bake runtime platform.
+target "release" {}
+
+target "docker-metadata-action" {
+  # In the pipeline, this target is overwritten by the docker metadata action.
+  tags = ["${LOGIN_TAG}"]
+}
+
+# We run integration and acceptance tests against the next standalone server for docker.
+target "login-standalone" {
+  inherits = [
+    "docker-metadata-action",
+    "release",
+  ]
+}
diff --git a/docker-bake.hcl b/docker-bake.hcl
index d75373dee1..81d863cd4f 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,5 +1,13 @@
-target "typescript-proto-client" {
-  contexts = {
-    proto-files = "target:proto-files"
-  }
+# login-standalone can extend the login-standalone target in apps/login/docker-bake.hcl
+target "login-standalone" {
+  context = .
+  dockerfile = dockerfiles/login.Dockerfile
+}
+
+target "login-standalone-out" {
+  inherits = ["login-standalone"]
+  target   = "build-out"
+  output = [
+    "type=local,dest=.artifacts/login"
+  ]
 }