diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b4fe538..d3ab241 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,6 +16,10 @@ concurrency:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    permissions:
+      contents:      read
+      actions:       read
+      pull-requests: write
     steps:
       - name: Detect version
         run: |-
@@ -31,11 +35,20 @@ jobs:
       - name: Running tests
         uses: docker/build-push-action@v6
         with:
-          target: test
-          push: false
+          target: coverage
+          outputs: type=local,dest=coverage/
           build-args: |
             VERSION=${{ env.VERSION }}
 
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v4
+        if: ${{ always() }}
+        with:
+          name: code-coverage-report
+          path: |
+            coverage/coverage.out
+            coverage/coverage.html
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         if: github.ref_type == 'tag'
diff --git a/Dockerfile b/Dockerfile
index a5c4f58..5e253ee 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,13 @@ COPY pkg/ ./pkg
 FROM base AS test
 
 RUN go vet -v ./...
-RUN go test -v ./...
+RUN go test -race -v -coverprofile=cover.out -covermode=atomic ./...
+RUN go tool cover -html cover.out -o cover.html
+
+FROM scratch AS coverage
+
+COPY --from=test /work/cover.html coverage.html
+COPY --from=test /work/cover.out  coverage.out
 
 # Stage to build the binary
 FROM base AS build