diff --git a/Dockerfile b/Dockerfile
index 8a958996..21e43853 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,25 +12,40 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# See docs/development.md for details on how to test this image.
+# Testing: docker run -e GITHUB_REF=refs/heads/main \
+#           -e GITHUB_EVENT_NAME=branch_protection_rule \
+#           -e INPUT_RESULTS_FORMAT=sarif \
+#           -e INPUT_RESULTS_FILE=results.sarif \
+#           -e GITHUB_WORKSPACE=/ \
+#           -e INPUT_POLICY_FILE="/policy.yml" \
+#           -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \
+#           -e GITHUB_REPOSITORY="ossf/scorecard" \
+#           laurentsimon/scorecard-action:latest
 
-FROM gcr.io/openssf/scorecard:v4.3.1@sha256:6224d1a27c35e7b216befba798cb782adb400047caa60fc1bea30030da392a1b as base
+#v1.17 go
+FROM golang@sha256:bd9823cdad5700fb4abe983854488749421d5b4fc84154c30dae474100468b85 AS base
+WORKDIR /src
+ENV CGO_ENABLED=0
+COPY go.* ./
+RUN go mod download
+COPY . ./
 
-# Build our image and update the root certs.
-# TODO: use distroless.
+FROM base AS build
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 make build
+
+# TODO: use distroless:
+# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb
 FROM debian:11.3-slim@sha256:f6957458017ec31c4e325a76f39d6323c4c21b0e31572efa006baa927a160891
+
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
+    # For debugging.
     jq ca-certificates curl
-
-# Copy the scorecard binary from the official scorecard image.
-COPY --from=base /scorecard /scorecard
+COPY --from=build /src/scorecard-action /
 
 # Copy a test policy for local testing.
 COPY policies/template.yml  /policy.yml
 
-# Our entry point.
-# Note: the file is executable in the repo
-# and permission carry over to the image.
-COPY entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT [ "/scorecard-action" ]
diff --git a/Dockerfile.golang b/Dockerfile.golang
deleted file mode 100644
index 21e43853..00000000
--- a/Dockerfile.golang
+++ /dev/null
@@ -1,51 +0,0 @@
-# Copyright 2021 Security Scorecard Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Testing: docker run -e GITHUB_REF=refs/heads/main \
-#           -e GITHUB_EVENT_NAME=branch_protection_rule \
-#           -e INPUT_RESULTS_FORMAT=sarif \
-#           -e INPUT_RESULTS_FILE=results.sarif \
-#           -e GITHUB_WORKSPACE=/ \
-#           -e INPUT_POLICY_FILE="/policy.yml" \
-#           -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \
-#           -e GITHUB_REPOSITORY="ossf/scorecard" \
-#           laurentsimon/scorecard-action:latest
-
-#v1.17 go
-FROM golang@sha256:bd9823cdad5700fb4abe983854488749421d5b4fc84154c30dae474100468b85 AS base
-WORKDIR /src
-ENV CGO_ENABLED=0
-COPY go.* ./
-RUN go mod download
-COPY . ./
-
-FROM base AS build
-ARG TARGETOS
-ARG TARGETARCH
-RUN CGO_ENABLED=0 make build
-
-# TODO: use distroless:
-# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb
-FROM debian:11.3-slim@sha256:f6957458017ec31c4e325a76f39d6323c4c21b0e31572efa006baa927a160891
-
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    # For debugging.
-    jq ca-certificates curl
-COPY --from=build /src/scorecard-action /
-
-# Copy a test policy for local testing.
-COPY policies/template.yml  /policy.yml
-
-ENTRYPOINT [ "/scorecard-action" ]
diff --git a/README.md b/README.md
index 8ecf8afb..ff588ea0 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,13 @@
 
 The Scorecards GitHub Action is free for all public repositories. Private repositories are supported if they have [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security). Private repositories without GitHub Advanced Security can run Scorecards from the command line by following the [standard installation instructions](https://github.com/ossf/scorecard#using-scorecards-1).
 
+
+## Breaking changes in v2
+
+Starting from scorecard-action:v2, `GITHUB_TOKEN` permissions needs to incude
+`token_id: write` for `publish_results: true`. This is needed to access GitHub's
+OIDC token whuch verifies the authenticity of the result when publishing it.
+
 ________
 [Installation](#installation) 
 - [Authentication](#authentication-with-pat)
diff --git a/RELEASE.md b/RELEASE.md
index 3788e0ca..0793240f 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -30,37 +30,6 @@ We're not striving for perfection with the template, but the tracking issue
 will serve as a reference point to aggregate feedback, so try your best to be
 as descriptive as possible.
 
-## Preparing the release
-
-This section covers changes that need to be issued as a pull request and should
-be merged before releasing the scorecard GitHub Action.
-
-### Update the scorecard version
-
-_NOTE: As the scorecard GitHub Action is based on scorecard, you may want to publish a new release of scorecard to ensure the next release of the GitHub Action has the most up-to-date functionality. This is not strictly required. The only requirement is that we use a stable scorecard version which is at or above the current version used for this action._
-
-For the rest of document, let `CH1` be the hash of the scorecard image you
-intend to use for this release.
-
-See [here](https://github.com/orgs/ossf/packages?repo_name=scorecard) for
-scorecard images.
-
-(We'll use `0bc9576b3efbda7b38febbf0a1e1b9546894f9650aaead9ccb5edc7dade86552`
-as `CH1` in any examples below.)
-
-Now that you have `CH1`, update the digest in the [Dockerfile](Dockerfile) to use `CH1`.
-
-Example:
-
-```Dockerfile
-FROM gcr.io/openssf/scorecard:v100.0.0@sha256:0bc9576b3efbda7b38febbf0a1e1b9546894f9650aaead9ccb5edc7dade86552 as base
-```
-
-Create a pull request with this change.
-
-Once the PR is merged, note the GitHub commit hash.
-We'll refer to this as `GH2` below.
-
 ## Drafting release notes
 
 <!-- TODO(release): Provide details -->
@@ -69,15 +38,31 @@ We'll refer to this as `GH2` below.
 
 ### Create a tag
 
-Locally, create a signed tag based on `GH2`:
+Locally, create a signed tag `Tag` on commitSHA `SHA`:
 
 ```console
 git remote update
-git checkout `GH2`
+git checkout `SHA`
 git tag -s -m "v100.0.0" v100.0.0
 git push <upstream> --tags
 ```
 
+### Update the scorecard-action version
+
+Note be the hash of the scorecard-action image (say, `CH1`) that was tagged with `Tag`. We will use this for the release.
+
+Update the digest in [action.yaml](action.yaml) to use `CH1`.
+
+Example:
+
+```
+runs:
+  using: "docker"
+  image: "docker://gcr.io/openssf/scorecard-action:CH1"
+```
+
+Create a pull request with this change and merge into `main`.
+
 ### Create a GitHub release
 
 Create a
diff --git a/action.yaml b/action.yaml
index 77cc2e39..007b365e 100644
--- a/action.yaml
+++ b/action.yaml
@@ -48,6 +48,6 @@ branding:
 
 runs:
   using: "docker"
-  image: "./Dockerfile"
+  image: "docker://gcr.io/openssf/scorecard-action:latest"
 
 
diff --git a/cloudbuild-tag.yaml b/cloudbuild-tag.yaml
new file mode 100644
index 00000000..4e870750
--- /dev/null
+++ b/cloudbuild-tag.yaml
@@ -0,0 +1,25 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+steps:
+  - id: Get tag commit
+    name: gcr.io/cloud-builders/git
+    args: ['fetch', '--unshallow', '--tags', 'origin', '$COMMIT_SHA']
+  - name: 'gcr.io/cloud-builders/docker'
+    args: ['build', '.',
+      '-t', 'gcr.io/openssf/scorecard-action:$TAG_NAME',
+      '-t', 'gcr.io/openssf/scorecard-action:$COMMIT_SHA',
+      '-f', 'Dockerfile']
+images: ['gcr.io/openssf/scorecard-action']
+timeout: '1600s'
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index aa4a4412..0e1f4921 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -17,6 +17,6 @@ steps:
   args: ['build', '.',
     '-t', 'gcr.io/openssf/scorecard-action:latest',
     '-t', 'gcr.io/openssf/scorecard-action:$COMMIT_SHA',
-    '-f', 'Dockerfile.golang']
+    '-f', 'Dockerfile']
 images: ['gcr.io/openssf/scorecard-action']
 timeout: '1600s'
diff --git a/entrypoint.sh b/entrypoint.sh
deleted file mode 100755
index a756d492..00000000
--- a/entrypoint.sh
+++ /dev/null
@@ -1,148 +0,0 @@
-#!/bin/bash
-# Copyright 2021 Security Scorecard Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -euo pipefail
-
-# https://docs.github.com/en/actions/learn-github-actions/environment-variables
-# GITHUB_EVENT_PATH contains the json file for the event.
-# GITHUB_SHA contains the commit hash.
-# GITHUB_WORKSPACE contains the repo folder.
-# GITHUB_EVENT_NAME contains the event name.
-# GITHUB_ACTIONS is true in GitHub env.
-
-if [[ -z "$INPUT_REPO_TOKEN" ]]; then
-    INPUT_REPO_TOKEN="$INPUT_INTERNAL_DEFAULT_TOKEN"
-    if [[ -z "$INPUT_REPO_TOKEN" ]]; then
-        exit 2
-    fi
-    echo "The repo_token was empty so GITHUB_TOKEN is used instead"
-fi
-
-export GITHUB_AUTH_TOKEN="$INPUT_REPO_TOKEN"
-export ENABLE_SARIF=1
-export ENABLE_LICENSE=1
-export ENABLE_DANGEROUS_WORKFLOW=1
-export SCORECARD_POLICY_FILE="/policy.yml" # Copied at docker image creation.
-export SCORECARD_RESULTS_FILE="$INPUT_RESULTS_FILE"
-export SCORECARD_RESULTS_FORMAT="$INPUT_RESULTS_FORMAT"
-export SCORECARD_PUBLISH_RESULTS="$INPUT_PUBLISH_RESULTS"
-export SCORECARD_BIN="/scorecard"
-export ENABLED_CHECKS=
-
-## ============================== WARNING ======================================
-# https://docs.github.com/en/actions/learn-github-actions/environment-variables
-# export SCORECARD_PRIVATE_REPOSITORY="$(jq '.repository.private' $GITHUB_EVENT_PATH)"
-# export SCORECARD_DEFAULT_BRANCH="refs/heads/$(jq -r '.repository.default_branch' $GITHUB_EVENT_PATH)"
-#
-# The $GITHUB_EVENT_PATH file produces:
-# private: null
-# default_branch: null
-#
-# for trigger event `schedule`. This is a bug.
-# So instead we use the REST API to retrieve the data.
-#
-# Boolean inputs are strings https://github.com/actions/runner/issues/1483.
-# ===============================================================================
-status_code=$(curl -s -H "Authorization: Bearer $GITHUB_AUTH_TOKEN" https://api.github.com/repos/"$GITHUB_REPOSITORY" -o repo_info.json -w '%{http_code}')
-if [[ $status_code -lt 200 ]] || [[ $status_code -ge 300 ]]; then
-    error_msg=$(jq -r .message repo_info.json 2>/dev/null || echo 'unknown error')
-    echo "Failed to get repository information from GitHub, response $status_code: $error_msg"
-    echo "$(<repo_info.json)"
-    rm repo_info.json
-    exit 1;
-fi
-
-export SCORECARD_PRIVATE_REPOSITORY="$(cat repo_info.json | jq -r '.private')"
-export SCORECARD_DEFAULT_BRANCH="refs/heads/$(cat repo_info.json | jq -r '.default_branch')"
-export SCORECARD_IS_FORK="$(cat repo_info.json | jq -r '.fork')"
-
-# If the repository is private, never publish the results.
-if [[ "$SCORECARD_PRIVATE_REPOSITORY" == "true" ]]; then
-    export SCORECARD_PUBLISH_RESULTS="false"
-fi
-
-# We only use the policy file if the request format is sarif.
-if [[ "$SCORECARD_RESULTS_FORMAT" != "sarif" ]]; then
-    unset SCORECARD_POLICY_FILE
-fi
-
-echo "Event file: $GITHUB_EVENT_PATH"
-echo "Event name: $GITHUB_EVENT_NAME"
-echo "Ref: $GITHUB_REF"
-echo "Repository: $GITHUB_REPOSITORY"
-echo "Fork repository: $SCORECARD_IS_FORK"
-echo "Private repository: $SCORECARD_PRIVATE_REPOSITORY"
-echo "Publication enabled: $SCORECARD_PUBLISH_RESULTS"
-echo "Format: $SCORECARD_RESULTS_FORMAT"
-if ! [ -z ${SCORECARD_POLICY_FILE+x} ]; then
-  echo "Policy file: $SCORECARD_POLICY_FILE"
-fi
-echo "Default branch: $SCORECARD_DEFAULT_BRANCH"
-echo "$(<repo_info.json)"
-rm repo_info.json
-
-if [[ -z "$GITHUB_AUTH_TOKEN" ]]; then
-    echo "The 'repo_token' variable is empty."
-
-    if [[ "$SCORECARD_IS_FORK" == "true" ]]; then
-        echo "We have detected you are running on a fork."
-    fi
-
-    echo "Please follow the instructions at https://github.com/ossf/scorecard-action#authentication to create the read-only PAT token."
-    exit 1
-fi
-
-
-
-# Note: this will fail if we push to a branch on the same repo, so it will show as failing
-# on forked repos.
-if [[ "$GITHUB_EVENT_NAME" != "pull_request"* ]] && [[ "$GITHUB_REF" != "$SCORECARD_DEFAULT_BRANCH" ]]; then
-    echo "$GITHUB_REF not supported with '$GITHUB_EVENT_NAME' event."
-    echo "Only the default branch '$SCORECARD_DEFAULT_BRANCH' is supported"
-    exit 1
-fi
-
-
-# It's important to change directories here, to ensure
-# the files in SARIF start at the source of the repo.
-# This allows GitHub to highlight the file.
-cd "$GITHUB_WORKSPACE"
-
-if [[ "$GITHUB_EVENT_NAME" == "pull_request"* ]]
-then
-    # For pull request events, we run on a local folder.
-    if [ -z ${SCORECARD_POLICY_FILE+x} ]; then
-        $SCORECARD_BIN --local . --format "$SCORECARD_RESULTS_FORMAT" --show-details > "$SCORECARD_RESULTS_FILE"
-    else
-        $SCORECARD_BIN --local . --format "$SCORECARD_RESULTS_FORMAT" --show-details --policy "$SCORECARD_POLICY_FILE" > "$SCORECARD_RESULTS_FILE"
-    fi
-else
-    # For other events, we run on the repo.
-
-    # For the branch protection trigger, we only run the Branch-Protection check.
-    if [[ "$GITHUB_EVENT_NAME" == "branch_protection_rule" ]]; then
-        export ENABLED_CHECKS="--checks Branch-Protection"
-    fi
-
-    if [ -z ${SCORECARD_POLICY_FILE+x} ]; then
-        $SCORECARD_BIN --repo="$GITHUB_REPOSITORY" --format "$SCORECARD_RESULTS_FORMAT" $ENABLED_CHECKS --show-details > "$SCORECARD_RESULTS_FILE"
-    else
-        $SCORECARD_BIN --repo="$GITHUB_REPOSITORY" --format "$SCORECARD_RESULTS_FORMAT" $ENABLED_CHECKS --show-details --policy "$SCORECARD_POLICY_FILE" > "$SCORECARD_RESULTS_FILE"
-    fi
-fi
-
-if [[ "$SCORECARD_RESULTS_FORMAT" != "default" ]]; then
-  jq '.' "$SCORECARD_RESULTS_FILE"
-fi