diff --git a/Dockerfile b/Dockerfile
index f249fd326..5b86617d3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -36,7 +36,7 @@ COPY --from=builder /opt/app-root/src/server /usr/local/bin/fulcio-server
 ENTRYPOINT ["/usr/local/bin/fulcio-server", "serve"]
 
 # debug compile options & debugger
-FROM deploy as debug
+FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as debug
 RUN go install github.com/go-delve/delve/cmd/dlv@v1.8.0
 
 # overwrite server and include debugger
diff --git a/ci b/ci
new file mode 100644
index 000000000..6706ba372
--- /dev/null
+++ b/ci
@@ -0,0 +1 @@
+Tue Oct 17 18:03:34 EDT 2023
diff --git a/redhat/overlays/Dockerfile b/redhat/overlays/Dockerfile
new file mode 100644
index 000000000..5b86617d3
--- /dev/null
+++ b/redhat/overlays/Dockerfile
@@ -0,0 +1,49 @@
+#
+# Copyright 2021 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder
+ENV APP_ROOT=/opt/app-root
+ENV GOPATH=$APP_ROOT
+
+WORKDIR $APP_ROOT/src/
+ADD go.mod go.sum $APP_ROOT/src/
+RUN go mod download
+
+# Add source code
+ADD ./ $APP_ROOT/src/
+
+RUN go build -o server main.go
+RUN CGO_ENABLED=1 go build -gcflags "all=-N -l" -o server_debug main.go
+
+# Multi-Stage production build
+FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy
+
+# Retrieve the binary from the previous stage
+COPY --from=builder /opt/app-root/src/server /usr/local/bin/fulcio-server
+# Set the binary as the entrypoint of the container
+ENTRYPOINT ["/usr/local/bin/fulcio-server", "serve"]
+
+# debug compile options & debugger
+FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as debug
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.8.0
+
+# overwrite server and include debugger
+COPY --from=builder /opt/app-root/src/server_debug /usr/local/bin/fulcio-server
+
+LABEL description="Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity, such as email address."
+LABEL io.k8s.description="Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity, such as email address."
+LABEL io.k8s.display-name="Fulcio container image for Red Hat Trusted Signer"
+LABEL io.openshift.tags="fulcio trusted-signer"
+LABEL summary="Provides the Fulcio CA for keyless signing with Red Hat Trusted Signer."
diff --git a/redhat/patches/0001-dockerfile.patch b/redhat/patches/0001-dockerfile.patch
new file mode 100644
index 000000000..3b0f1e9a5
--- /dev/null
+++ b/redhat/patches/0001-dockerfile.patch
@@ -0,0 +1,32 @@
+diff --git a/Dockerfile b/Dockerfile
+index 2e3a82f..00d2b3d 100644
+--- a/Dockerfile
++++ b/Dockerfile
+@@ -13,7 +13,7 @@
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+
+-FROM golang:1.20.6@sha256:cfc9d1b07b1ef4f7a4571f0b60a99646a92ef76adb7d9943f4cb7b606c6554e2 AS builder
++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder
+ ENV APP_ROOT=/opt/app-root
+ ENV GOPATH=$APP_ROOT
+
+@@ -28,7 +28,7 @@ RUN go build -o server main.go
+ RUN CGO_ENABLED=1 go build -gcflags "all=-N -l" -o server_debug main.go
+
+ # Multi-Stage production build
+-FROM golang:1.20.6@sha256:cfc9d1b07b1ef4f7a4571f0b60a99646a92ef76adb7d9943f4cb7b606c6554e2 as deploy
++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy
+
+ # Retrieve the binary from the previous stage
+ COPY --from=builder /opt/app-root/src/server /usr/local/bin/fulcio-server
+@@ -41,3 +41,9 @@ RUN go install github.com/go-delve/delve/cmd/dlv@v1.8.0
+
+ # overwrite server and include debugger
+ COPY --from=builder /opt/app-root/src/server_debug /usr/local/bin/fulcio-server
++
++LABEL description="Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity, such as email address."
++LABEL io.k8s.description="Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity, such as email address."
++LABEL io.k8s.display-name="Fulcio container image for Red Hat Trusted Signer"
++LABEL io.openshift.tags="fulcio trusted-signer"
++LABEL summary="Provides the Fulcio CA for keyless signing with Red Hat Trusted Signer."
diff --git a/redhat/release/update-to-head.sh b/redhat/release/update-to-head.sh
index 59711e9b6..5e3e0da4e 100755
--- a/redhat/release/update-to-head.sh
+++ b/redhat/release/update-to-head.sh
@@ -53,21 +53,20 @@ robot_trigger_msg=":robot: triggering CI on branch '${redhat_ref}' after synchin
 # Reset release-next to upstream main or <git-ref>.
 git fetch upstream $upstream_ref
 if [[ "$upstream_ref" == "main" ]]; then
-  git checkout upstream/main -B ${redhat_ref}
+  git checkout upstream/main -B ${redhat_ref}-ci
 else
-  git checkout $upstream_ref -B ${redhat_ref}
+  git checkout $upstream_ref -B ${redhat_ref}-ci
 fi
 
+# RHTAP writes its pipeline files to the root of ${redhat_ref}
+# Fetch those from origin and merge them into the the ci branch
+git fetch origin $redhat_ref
+git merge origin/$redhat_ref --no-edit
+
 # Update redhat's main and take all needed files from there.
 git fetch origin $midstream_ref
 git checkout origin/$midstream_ref $custom_files
 
-# RHTAP writes its pipeline files to the root of ${redhat_ref}
-# Fetch those from origin and apply them to the the release branch
-# since we just wiped out our local copy with the upstream ref.
-git fetch origin $redhat_ref
-git checkout origin/$redhat_ref .tekton
-
 # Apply midstream patches
 if [[ -d redhat/patches ]]; then
   git apply redhat/patches/*
@@ -77,12 +76,7 @@ git add . # Adds applied patches
 git add $custom_files # Adds custom files
 git commit -m "${redhat_files_msg}"
 
-# Push the release-next branch
-git push -f origin "${redhat_ref}"
-
 # Trigger CI
-# TODO: Set up openshift or github CI to run on release-next-ci
-git checkout "${redhat_ref}" -B "${redhat_ref}"-ci
 date > ci
 git add ci
 git commit -m "${robot_trigger_msg}"