diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag
new file mode 100644
index 0000000000..5a6ed07922
--- /dev/null
+++ b/.github/config/config-gcr-retag
@@ -0,0 +1,6 @@
+export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a ADDITIONAL_TAGS=()
diff --git a/.github/config/config-oss-dockerhub b/.github/config/config-oss-dockerhub
new file mode 100644
index 0000000000..345db41a21
--- /dev/null
+++ b/.github/config/config-oss-dockerhub
@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=docker.io
+export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress"
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false
diff --git a/.github/config/config-oss-ecr b/.github/config/config-oss-ecr
new file mode 100644
index 0000000000..964d71ed47
--- /dev/null
+++ b/.github/config/config-oss-ecr
@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=public.ecr.aws
+export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress"
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false
diff --git a/.github/config/config-oss-gcr-release b/.github/config/config-oss-gcr-release
new file mode 100644
index 0000000000..4f378e9131
--- /dev/null
+++ b/.github/config/config-oss-gcr-release
@@ -0,0 +1,6 @@
+export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false
diff --git a/.github/config/config-oss-github b/.github/config/config-oss-github
new file mode 100644
index 0000000000..403cca86a3
--- /dev/null
+++ b/.github/config/config-oss-github
@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=ghcr.io
+export TARGET_OSS_IMAGE_PREFIX="nginxinc/kubernetes-ingress"
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false
diff --git a/.github/config/config-oss-quay b/.github/config/config-oss-quay
new file mode 100644
index 0000000000..70d5fd9cd9
--- /dev/null
+++ b/.github/config/config-oss-quay
@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=quay.io
+export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress"
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false
diff --git a/.github/config/config-plus-azure b/.github/config/config-plus-azure
new file mode 100644
index 0000000000..bcccd67e77
--- /dev/null
+++ b/.github/config/config-plus-azure
@@ -0,0 +1,11 @@
+export TARGET_REGISTRY=nginxmktpl.azurecr.io
+export TARGET_PLUS_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress"
+export TARGET_NAP_WAF_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress-nap"
+export TARGET_NAP_DOS_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress-dos"
+export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress-nap-dos"
+declare -a PLUS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("")
+declare -a ADDITIONAL_TAGS=()
+export PUBLISH_OSS=false
diff --git a/.github/config/config-plus-ecr b/.github/config/config-plus-ecr
new file mode 100644
index 0000000000..452fa6f124
--- /dev/null
+++ b/.github/config/config-plus-ecr
@@ -0,0 +1,11 @@
+export TARGET_REGISTRY=709825985650.dkr.ecr.us-east-1.amazonaws.com
+export TARGET_PLUS_IMAGE_PREFIX=nginx/nginx-plus-ingress
+export TARGET_NAP_WAF_IMAGE_PREFIX=nginx/nginx-plus-ingress-nap
+export TARGET_NAP_DOS_IMAGE_PREFIX=nginx/nginx-plus-ingress-dos
+export TARGET_NAP_WAF_DOS_IMAGE_PREFIX=nginx/nginx-plus-ingress-dos-nap
+declare -a PLUS_TAG_POSTFIX_LIST=("-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
+declare -a ADDITIONAL_TAGS=()
+export PUBLISH_OSS=false
diff --git a/.github/config/config-plus-gcr-public b/.github/config/config-plus-gcr-public
new file mode 100644
index 0000000000..f508554928
--- /dev/null
+++ b/.github/config/config-plus-gcr-public
@@ -0,0 +1,10 @@
+export PUBLISH_OSS=false
+export PUBLISH_WAF_DOS=false
+export TARGET_REGISTRY=gcr.io/f5-7626-networks-public
+export TARGET_PLUS_IMAGE_PREFIX=nginxinc/nginx-plus-ingress
+export TARGET_NAP_WAF_IMAGE_PREFIX=nginxinc/nginx-plus-ingress-nap
+export TARGET_NAP_DOS_IMAGE_PREFIX=nginxinc/nginx-plus-ingress-dos
+declare -a PLUS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a ADDITIONAL_TAGS=(${ADDITIONAL_TAG})
diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release
new file mode 100644
index 0000000000..0af0ae550d
--- /dev/null
+++ b/.github/config/config-plus-gcr-release
@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_OSS=false
diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx
new file mode 100644
index 0000000000..de809c41b8
--- /dev/null
+++ b/.github/config/config-plus-nginx
@@ -0,0 +1,8 @@
+export TARGET_REGISTRY=docker-mgmt.nginx.com
+export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_OSS=false
diff --git a/.github/scripts/copy-images.sh b/.github/scripts/copy-images.sh
new file mode 100755
index 0000000000..b63fa618e5
--- /dev/null
+++ b/.github/scripts/copy-images.sh
@@ -0,0 +1,213 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+## Setup inputs
+
+SOURCE_TAG=${SOURCE_TAG:-stable}
+TARGET_TAG=${TARGET_TAG:-edge}
+ADDITIONAL_TAG=${ADDITIONAL_TAG:-""}
+
+SOURCE_REGISTRY=${1:-"gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev"}
+TARGET_REGISTRY=${2:-"gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release"}
+
+REGISTRY_USERNAME=${REGISTRY_USERNAME:-""}
+REGISTRY_PASSWORD=${REGISTRY_PASSWORD:-""}
+
+PUBLISH_OSS=${PUBLISH_OSS:-true}
+PUBLISH_PLUS=${PUBLISH_PLUS:-true}
+PUBLISH_WAF=${PUBLISH_WAF:-true}
+PUBLISH_DOS=${PUBLISH_DOS:-true}
+PUBLISH_WAF_DOS=${PUBLISH_WAF_DOS:-true}
+
+DRY_RUN=${DRY_RUN:-false}
+
+SOURCE_OSS_IMAGE_PREFIX=${SOURCE_OSS_IMAGE_PREFIX:-"nginx-ic/nginx-ingress"}
+
+TARGET_OSS_IMAGE_PREFIX=${TARGET_OSS_IMAGE_PREFIX:-"nginx-ic/nginx-ingress"}
+
+SOURCE_PLUS_IMAGE_PREFIX=${SOURCE_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
+SOURCE_NAP_WAF_IMAGE_PREFIX=${SOURCE_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
+SOURCE_NAP_DOS_IMAGE_PREFIX=${SOURCE_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
+SOURCE_NAP_WAF_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
+
+TARGET_PLUS_IMAGE_PREFIX=${TARGET_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
+TARGET_NAP_WAF_IMAGE_PREFIX=${TARGET_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
+TARGET_NAP_DOS_IMAGE_PREFIX=${TARGET_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
+TARGET_NAP_WAF_DOS_IMAGE_PREFIX=${TARGET_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
+
+declare -a OSS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+
+CONFIG_PATH=${CONFIG_PATH:-~/.nic-release/config}
+if [ -f "$CONFIG_PATH" ]; then
+    # shellcheck source=/dev/null
+    . "$CONFIG_PATH"
+fi
+
+SOURCE_OPTS=${SOURCE_OPTS:-""}
+if [[ $SOURCE_REGISTRY =~ mgmt ]] || [[ $SOURCE_REGISTRY =~ private ]] ; then
+    if [ "${CI}" != 'true' ]; then
+        SOURCE_OPTS="--src-username ${REGISTRY_USERNAME} --src-password ${REGISTRY_PASSWORD}"
+    fi
+fi
+
+TARGET_OPTS=${TARGET_OPTS:-""}
+if [[ $TARGET_REGISTRY =~ mgmt ]]; then
+    if [ "${CI}" != 'true' ]; then
+        TARGET_OPTS="--dest-username ${REGISTRY_USERNAME} --dest-password ${REGISTRY_PASSWORD}"
+    fi
+fi
+
+# cannot push the same tag twice
+IS_IMMUTABLE=false
+if [[ $TARGET_REGISTRY =~ 709825985650.dkr.ecr ]]; then
+    IS_IMMUTABLE=true
+fi
+
+ARCH_OPTS="-a"
+if [[ $TARGET_REGISTRY =~ f5-7626-networks-public ]] || [[ $TARGET_REGISTRY =~ nginxmktpl ]]; then
+    ARCH_OPTS="--override-os linux --override-arch amd64"
+fi
+
+## Main publish loops
+
+if $PUBLISH_OSS; then
+    for postfix in "${OSS_TAG_POSTFIX_LIST[@]}"; do
+        image=${SOURCE_REGISTRY}/${SOURCE_OSS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
+        echo "Processing image ${image}"
+        new_tag=${TARGET_REGISTRY}/${TARGET_OSS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
+        echo "  Pushing image OSS ${new_tag}..."
+        if ! $DRY_RUN; then
+            skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+        fi
+        for tag in "${ADDITIONAL_TAGS[@]}"; do
+            if [ -z "${tag}" ]; then
+                continue
+            fi
+            additional_tag=${TARGET_REGISTRY}/${TARGET_OSS_IMAGE_PREFIX}:${tag}${postfix}
+            echo "  Pushing image OSS ${additional_tag}..."
+            if ! $DRY_RUN; then
+                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+            fi
+        done
+    done
+else
+    echo "Skipping Publish OSS flow"
+fi
+
+if $PUBLISH_PLUS; then
+    for postfix in "${PLUS_TAG_POSTFIX_LIST[@]}"; do
+        image=${SOURCE_REGISTRY}/${SOURCE_PLUS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
+        echo "Processing image ${image}"
+        new_tag=${TARGET_REGISTRY}/${TARGET_PLUS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
+        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+            echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
+        else
+            echo "  Pushing image Plus ${new_tag}..."
+            if ! $DRY_RUN; then
+                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+            fi
+            for tag in "${ADDITIONAL_TAGS[@]}"; do
+                if [ -z "${tag}" ]; then
+                    continue
+                fi
+                additional_tag=${TARGET_REGISTRY}/${TARGET_PLUS_IMAGE_PREFIX}:${tag}${postfix}
+                echo "  Pushing image Plus ${additional_tag}..."
+                if ! $DRY_RUN; then
+                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                fi
+            done
+        fi
+    done
+else
+    echo "Skipping Publish Plus flow"
+fi
+
+if $PUBLISH_WAF; then
+    for postfix in "${NAP_WAF_TAG_POSTFIX_LIST[@]}"; do
+        image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAF_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
+        echo "Processing image ${image}"
+        new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
+        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+            echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
+        else
+            echo "  Pushing image NAP WAF ${new_tag}..."
+            if ! $DRY_RUN; then
+                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+            fi
+            for tag in "${ADDITIONAL_TAGS[@]}"; do
+                if [ -z "${tag}" ]; then
+                    continue
+                fi
+                additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_IMAGE_PREFIX}:${tag}${postfix}
+                echo "  Pushing image NAP WAF ${additional_tag}..."
+                if ! $DRY_RUN; then
+                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                fi
+            done
+        fi
+    done
+else
+    echo "Skipping Publish Plus WAF flow"
+fi
+
+if $PUBLISH_DOS; then
+    for postfix in "${NAP_DOS_TAG_POSTFIX_LIST[@]}"; do
+        image=${SOURCE_REGISTRY}/${SOURCE_NAP_DOS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
+        echo "Processing image ${image}"
+        new_tag=${TARGET_REGISTRY}/${TARGET_NAP_DOS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
+        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+            echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
+        else
+            echo "  Pushing image NAP DOS ${new_tag}..."
+            if ! $DRY_RUN; then
+                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+            fi
+            for tag in "${ADDITIONAL_TAGS[@]}"; do
+                if [ -z "${tag}" ]; then
+                    continue
+                fi
+                additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_DOS_IMAGE_PREFIX}:${tag}${postfix}
+                echo "  Pushing image NAP DOS ${additional_tag}..."
+                if ! $DRY_RUN; then
+                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                fi
+            done
+        fi
+    done
+else
+    echo "Skipping Publish Plus DOS flow"
+fi
+
+if $PUBLISH_WAF_DOS; then
+    for postfix in "${NAP_WAF_DOS_TAG_POSTFIX_LIST[@]}"; do
+        image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
+        echo "Processing image ${image}"
+        new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_DOS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
+        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+            echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
+        else
+            echo "  Pushing image NAP WAF/DOS ${new_tag}..."
+            if ! $DRY_RUN; then
+                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+            fi
+            for tag in "${ADDITIONAL_TAGS[@]}"; do
+                if [ -z "${tag}" ]; then
+                    continue
+                fi
+                additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_DOS_IMAGE_PREFIX}:${tag}${postfix}
+                echo "  Pushing image NAP WAF/DOS ${additional_tag}..."
+                if ! $DRY_RUN; then
+                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                fi
+            done
+        fi
+    done
+else
+    echo "Skipping Publish Plus WAF/DOS flow"
+fi