diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 6ff1dfe0..70ac8f87 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -1,57 +1,56 @@
-name: Docker Build & Publish
-
+name: Publish Docker to GHCR
 on:
   push:
     tags:
       - "v*"
-
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
-
 jobs:
-  build-and-push:
+  publish:
+    name: Build & Push to GHCR
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
-
     steps:
-      - name: Checkout
+      - name: Free disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo docker image prune --all --force
+          df -h
+
+      - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Extract tag name
+        id: meta
+        run: echo "tag=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to GHCR
+      - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest
-
-      - name: Build and push
+      - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .
-          platforms: linux/amd64
+          file: ./Dockerfile
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
+          platforms: linux/amd64
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.tag }}
           labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            BUN_PUBLIC_BASE_URL=${{ vars.BUN_PUBLIC_BASE_URL }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-
-
-          
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index b374aacf..15c12c01 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,48 +1,69 @@
-FROM debian:bookworm-slim AS base
+# ==============================
+# Stage 1: Builder (Debian)
+# ==============================
+FROM node:20-bookworm-slim AS builder
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-        curl unzip ca-certificates libssl3 && \
-    rm -rf /var/lib/apt/lists/* && \
-    curl -fsSL https://bun.sh/install | bash
-
-ENV PATH="/root/.bun/bin:$PATH"
 WORKDIR /app
 
-# ---- deps ----
-FROM base AS deps
+# Install dependencies yang sebelumnya pakai apk
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libc6 \
+    git \
+    openssl \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
 
-COPY package.json bun.lockb ./
-RUN bun install --frozen-lockfile
+COPY package.json bun.lockb* ./
 
-# ---- builder ----
-FROM deps AS builder
+ENV ONNXRUNTIME_NODE_INSTALL_CUDA=0
+ENV SHARP_IGNORE_GLOBAL_LIBVIPS=1
 
-COPY prisma ./prisma
-RUN bunx prisma generate
+RUN npm install --ignore-scripts
 
-COPY src ./src
-COPY types ./types
-COPY tsconfig.json ./
+COPY . .
 
-# BUN_PUBLIC_* vars are baked into the browser bundle at build time
-ARG BUN_PUBLIC_BASE_URL
-ENV BUN_PUBLIC_BASE_URL=${BUN_PUBLIC_BASE_URL}
-RUN bun run build
+# Skip telemetry & limit memory
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV NODE_OPTIONS="--max-old-space-size=4096"
 
-# ---- runner ----
-FROM base AS runner
+# Generate prisma client
+RUN npx prisma generate
 
-COPY package.json bun.lockb ./
-RUN bun install --production
+# Build Next.js
+RUN npm run build
 
-COPY --from=builder /app/generated ./generated
-COPY --from=builder /app/.next ./.next
-COPY src ./src
-COPY prisma ./prisma
-COPY types ./types
-COPY tsconfig.json ./
+
+# ==============================
+# Stage 2: Runner (Debian)
+# ==============================
+FROM node:20-bookworm-slim AS runner
+
+WORKDIR /app
 
 ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openssl \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Buat user non-root (cara Debian)
+RUN groupadd --system --gid 1001 nodejs \
+    && useradd --system --uid 1001 --gid nodejs nextjs
+
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/.next ./.next
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./package.json
+
+RUN chown -R nextjs:nodejs /app
+
+USER nextjs
+
 EXPOSE 3000
 
-CMD ["bun", "run", "./src/index.tsx"]
+ENV PORT=3000
+ENV HOSTNAME="0.0.0.0"
+
+CMD ["npx", "next", "start"]