diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 296c22c84..b9fa8eb71 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -34,6 +34,7 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{version}}
             type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=release,enable=${{ github.ref_type == 'tag' }}
 
       - name: Login to Github Container Registry
         if: github.event_name != 'pull_request'
@@ -52,7 +53,6 @@ jobs:
         with:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
           platforms: ${{ env.build_platforms }}
 
       - name: Image digest
diff --git a/.github/workflows/docker-testbed-periodic-rebuild.yaml b/.github/workflows/docker-testbed-periodic-rebuild.yaml
new file mode 100644
index 000000000..fd39eeedc
--- /dev/null
+++ b/.github/workflows/docker-testbed-periodic-rebuild.yaml
@@ -0,0 +1,48 @@
+name: Rebuild js testbed image
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run weekly, at 2:15pm on Monday (chosen at random)
+    # https://cron.help/#15_14_*_*_1
+    - cron: '15 14 * * 1'
+
+env:
+  build_platforms: ${{ vars.BUILD_PLATFORMS || 'linux/amd64' }}
+  build_image: ${{ vars.BUILD_IMAGE || 'ghcr.io/isso-comments/isso-js-testbed' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          flavor: |
+            latest=false
+          images: ${{ env.build_image }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Login to Github Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build docker-js-testbed
+        run: make docker-testbed
+
+      - name: Push docker-js-testbed image as ${{ env.build_image }}
+        run: make docker-testbed-push
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index bb3baf0dc..0a45ef7dd 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -41,14 +41,16 @@ jobs:
         run: docker compose build isso-server
 
       - name: Bring up containers
+        # Don't wait for healthcheck via --wait. This would fail with a
+        # negative exit code since the isso-client container is expected to
+        # exit
         run: docker compose up -d
 
       - name: Client unit tests
         run: make docker-js-unit
 
-      - name: Check if containers are up, sleep if not
-        shell: bash
-        run: '[ "$(docker inspect --format={{.State.Health.Status}} isso-server)" = "healthy" ] || sleep 5'
+      - name: Wait for isso-server container to be ready
+        run: 'for i in $(seq 1 30); do [ "`docker inspect -f {{.State.Health.Status}} isso-server`" == "healthy" ] && s=0 && break || s=$? && sleep 0.3; done; (exit $s)'
 
       - name: Client integration tests
         run: make docker-js-integration
diff --git a/CHANGES.rst b/CHANGES.rst
index 9997aad41..135ec84b9 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -20,7 +20,12 @@ New Features
 Breaking Changes
 ^^^^^^^^^^^^^^^^
 
-- TBD
+- Rework the Docker image tagging scheme: ``isso:latest`` is now rebuilt on
+  every push to ``master``, while ``isso:release`` points to the latest stable
+  release (`#970`_, janw). Previously, ``:latest`` pointed to the latest stable
+  (tagged) version
+
+.. _#970: https://github.com/isso-comments/isso/pull/970
 
 Bugfixes & Improvements
 ^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/Dockerfile b/Dockerfile
index 903f69506..def715c9a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -71,6 +71,10 @@ FROM python:3.10-alpine AS isso
 WORKDIR /isso/
 COPY --from=isso-builder /isso/ .
 
+LABEL org.opencontainers.image.source=https://github.com/isso-comments/isso
+LABEL org.opencontainers.image.description="Isso – a commenting server similar to Disqus"
+LABEL org.opencontainers.image.licenses=MIT
+
 # Clean up
 RUN rm -rf /var/apk/cache/* /tmp/* /var/tmp/*
 
diff --git a/Makefile b/Makefile
index f88fd1997..faced3e21 100644
--- a/Makefile
+++ b/Makefile
@@ -38,6 +38,9 @@ APIDOC = npx --no-install apidoc
 
 SASS = sassc
 
+ISSO_IMAGE ?= isso:latest
+ISSO_RELEASE_IMAGE ?= isso:release
+ISSO_DOCKER_REGISTRY ?= ghcr.io/isso-comments
 TESTBED_IMAGE ?= isso-js-testbed:latest
 
 all: js site
@@ -93,21 +96,35 @@ test: $($ISSO_PY_SRC)
 	PYTHONPATH=. pytest --doctest-modules isso/
 
 docker:
-	DOCKER_BUILDKIT=1 docker build -t isso:latest .
+	DOCKER_BUILDKIT=1 docker build -t $(ISSO_IMAGE) .
+
+# For maintainers making releases only:
+docker-release:
+	DOCKER_BUILDKIT=1 docker build -t $(ISSO_IMAGE) .
 
 docker-run:
-	docker run -d --rm --name isso -p 127.0.0.1:8080:8080 --mount type=bind,source=$(PWD)/contrib/isso-dev.cfg,target=/config/isso.cfg,readonly isso:latest isso.run
+	docker run -d --rm --name isso -p 127.0.0.1:8080:8080 \
+		--mount type=bind,source=$(PWD)/contrib/isso-dev.cfg,target=/config/isso.cfg,readonly \
+		$(ISSO_IMAGE) isso.run
 
+# For maintainers only, discouraged in favor of the GitHub action running on
+# every git push
 docker-push:
-	docker tag isso:latest ghcr.io/isso-comments/isso:dev
-	docker push ghcr.io/isso-comments/isso:dev
+	docker tag $(ISSO_IMAGE) $(ISSO_DOCKER_REGISTRY)/$(ISSO_IMAGE)
+	docker push $(ISSO_DOCKER_REGISTRY)/$(ISSO_IMAGE)
+
+# For maintainers making releases only:
+docker-release-push:
+	docker tag $(ISSO_RELEASE_IMAGE) $(ISSO_DOCKER_REGISTRY)/$(ISSO_RELEASE_IMAGE)
+	docker push $(ISSO_DOCKER_REGISTRY)/$(ISSO_RELEASE_IMAGE)
 
 docker-testbed:
-	docker build -f docker/Dockerfile-js-testbed -t isso-js-testbed .
+	docker build -f docker/Dockerfile-js-testbed -t $(TESTBED_IMAGE) .
 
+# For maintainers only:
 docker-testbed-push:
-	docker tag isso-js-testbed:latest ghcr.io/isso-comments/isso-js-testbed:latest
-	docker push ghcr.io/isso-comments/isso-js-testbed:latest
+	docker tag $(TESTBED_IMAGE) $(ISSO_DOCKER_REGISTRY)/$(TESTBED_IMAGE)
+	docker push $(ISSO_DOCKER_REGISTRY)/$(TESTBED_IMAGE)
 
 docker-js-unit:
 	docker run \
@@ -150,4 +167,4 @@ clean:
 	rm -rf .pytest_cache/
 	rm -rf .coverage
 
-.PHONY: apidoc apidoc-init clean coverage docker docker-compare-screenshots docker-generate-screenshots docker-update-screenshots docker-js-unit docker-js-integration docker-push docker-testbed docker-testbed-push init test
+.PHONY: apidoc apidoc-init clean coverage docker docker-compare-screenshots docker-generate-screenshots docker-js-integration docker-js-unit docker-push docker-release docker-release-push docker-run docker-testbed docker-testbed-push docker-update-screenshots init test
diff --git a/README.md b/README.md
index bca092b84..2379cbd57 100644
--- a/README.md
+++ b/README.md
@@ -45,10 +45,20 @@ the [the full documentation](https://isso-comments.de/docs/).
 
 ## Docker
 
-A Docker image with the latest stable release is provided at
-`ghcr.io/isso-comments/isso:latest`. See
+> [!NOTE]  
+> The Docker image tagging scheme for stable releases was changed from `:latest`
+> to `:release` as of March 2024
+> ([#970](https://github.com/isso-comments/isso/pull/970), [#1012](https://github.com/isso-comments/isso/issues/1012))
+
+A [Docker image](https://github.com/isso-comments/isso/pkgs/container/isso) with
+the latest stable release is provided at `ghcr.io/isso-comments/isso:release`,
+while `isso:latest` is rebuilt on every push to the `master` branch. See
 [Using Docker](https://isso-comments.de/docs/reference/installation/#using-docker).
 
+The maintainers recommend pinning the image to a
+[release tag](https://github.com/isso-comments/isso/pkgs/container/isso), e.g.
+`isso:0.13.0`.
+
 ## Contributing
 
 - Pull requests are very much welcome! These might be
diff --git a/docker-compose.yml b/docker-compose.yml
index 5648a90ee..fc36eef29 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,17 +14,20 @@ services:
     #command: /isso/bin/isso -c /config/isso.cfg run
     environment:
       ISSO_SETTINGS: "/config/isso-dev.cfg"
+      ISSO_ENDPOINT: "http://isso-dev.local:8080"
     healthcheck:
-      test: wget --no-verbose --tries=1 --spider http://localhost:8080/info || exit 1
-      interval: 5s  # short timeout needed during start phase
-      retries: 3
-      start_period: 5s
-      timeout: 3s
+      # Double $$ for parsing vars inside CMD: https://stackoverflow.com/a/54989793
+      # Debug with 'docker inspect --format "{{json .State.Health }}" isso-server | jq'
+      test: wget --no-verbose --tries=1 --spider $$ISSO_ENDPOINT/info || exit 1
+      interval: 1s  # time before first check and between subsequent checks
+      retries: 10
+      start_period: 10s
+      timeout: 10s
     # If needed, production docker image can also be exposed to host for
     # non-docker unit/integration testing
     ports:
       - 127.0.0.1:8080:8080
-    # Expose port 80080 to other containerized services, not to host machine:
+    # Expose port 8080 to other containerized services, not to host machine:
     expose:
       - 8080
     networks:
@@ -49,6 +52,8 @@ services:
       dockerfile: docker/Dockerfile-js-testbed
     environment:
       ISSO_ENDPOINT: "http://isso-dev.local:8080"
+    healthcheck:
+      disable: true
     # Command may also run from outside docker compose, e.g.:
     # $ docker run isso-js-testbed [mount, networks, ...] npm run test-integration
     #command: npm run test-integration
diff --git a/docker/Dockerfile-js-testbed b/docker/Dockerfile-js-testbed
index 6cf666766..f8b05f59c 100644
--- a/docker/Dockerfile-js-testbed
+++ b/docker/Dockerfile-js-testbed
@@ -3,9 +3,9 @@
 
 # Note: Do not use alpine images as they do not contain needed GObject, X11
 # etc. packages and complicate things
-# :current resolves to NodeJS 17 on Debian Buster as of 03/2022
+# :22-bookworm resolves to NodeJS 22 on Debian Bookworm as of 04/2024
 # https://hub.docker.com/_/node
-FROM docker.io/node:current AS isso-js-testbed
+FROM docker.io/node:22-bookworm AS isso-js-testbed
 WORKDIR /src/
 
 # Install everything necessary to run headless
diff --git a/docs/docs/reference/installation.rst b/docs/docs/reference/installation.rst
index 302083c74..ea5cc377c 100644
--- a/docs/docs/reference/installation.rst
+++ b/docs/docs/reference/installation.rst
@@ -149,12 +149,30 @@ two options for running a Docker container:
 a) Official Docker image
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
+.. attention::
+
+   The Docker image tagging scheme for stable releases was changed from ``:latest``
+   to ``:release`` as of March 2024 (`#970`_, `#1012`_).
+
+.. _#970: https://github.com/isso-comments/isso/pull/970
+.. _#1012: https://github.com/isso-comments/isso/pull/1012
+
+A `Docker image`_ with the latest stable release is provided at
+``ghcr.io/isso-comments/isso:release``, while ``isso:latest`` is rebuilt on
+every push to the ``master`` branch.
+
+The maintainers recommend pinning the image to a `release tag`_, e.g.
+``isso:0.13.0``.
+
 .. code-block:: console
 
-    $ docker pull ghcr.io/isso-comments/isso:latest
+    $ docker pull ghcr.io/isso-comments/isso:release
     $ docker run -d --rm --name isso -p 127.0.0.1:8080:8080 \
         -v /var/lib/isso:/config -v /var/lib/isso:/db \
-        ghcr.io/isso-comments/isso:latest
+        ghcr.io/isso-comments/isso:release
+
+.. _Docker image: https://github.com/isso-comments/isso/pkgs/container/isso
+.. _release tag: https://github.com/isso-comments/isso/pkgs/container/isso
 
 b) Build a Docker image yourself
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/isso/js/tests/screenshots/reference/comment.png b/isso/js/tests/screenshots/reference/comment.png
index 62db8f612..6d803c90f 100644
Binary files a/isso/js/tests/screenshots/reference/comment.png and b/isso/js/tests/screenshots/reference/comment.png differ
diff --git a/isso/js/tests/screenshots/reference/comment.png.hash b/isso/js/tests/screenshots/reference/comment.png.hash
index 4d164b791..752dd0259 100644
--- a/isso/js/tests/screenshots/reference/comment.png.hash
+++ b/isso/js/tests/screenshots/reference/comment.png.hash
@@ -1 +1 @@
-065f2dfac1c6bc174c8406e574f8890d3bb867b13407809eb9aec184f97c172d
+56314990cb566160044f46033a7bd0c4d8be5bb41afa44fa54cf156aed21bbe3
diff --git a/isso/js/tests/screenshots/reference/postbox.png b/isso/js/tests/screenshots/reference/postbox.png
index b384313a1..d1ddd1309 100644
Binary files a/isso/js/tests/screenshots/reference/postbox.png and b/isso/js/tests/screenshots/reference/postbox.png differ
diff --git a/isso/js/tests/screenshots/reference/postbox.png.hash b/isso/js/tests/screenshots/reference/postbox.png.hash
index b16afb9da..1fb65ad85 100644
--- a/isso/js/tests/screenshots/reference/postbox.png.hash
+++ b/isso/js/tests/screenshots/reference/postbox.png.hash
@@ -1 +1 @@
-0eb72a0e3faaf65c373383e9cfe9359de37e31c7f0e6e38c2b2369eb85f0eba4
+a218440951dbc7312118647c955d0d4480fc46bb6dddd72e0d9459744b471f32
diff --git a/isso/js/tests/screenshots/reference/thread.png b/isso/js/tests/screenshots/reference/thread.png
index 549f41203..4e4a02f34 100644
Binary files a/isso/js/tests/screenshots/reference/thread.png and b/isso/js/tests/screenshots/reference/thread.png differ
diff --git a/isso/js/tests/screenshots/reference/thread.png.hash b/isso/js/tests/screenshots/reference/thread.png.hash
index 49fe505d8..d793091e5 100644
--- a/isso/js/tests/screenshots/reference/thread.png.hash
+++ b/isso/js/tests/screenshots/reference/thread.png.hash
@@ -1 +1 @@
-3185d06957e792d48d28b47c3e2c7e89353aa8d70757d4c92890d38850a66e54
+78ea677962d3f80607995d9b88d81df2b7787832023cb7f1d64811829d0fc10a