diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
new file mode 100644
index 0000000000000..209ec85390e0a
--- /dev/null
+++ b/.github/workflows/docker-build.yml
@@ -0,0 +1,82 @@
+name: Build Docker Images
+
+on:
+  push:
+    branches: [ main, movement, ci/* ]
+    tags:
+      - 'v*'
+      - 'release-*'
+  pull_request:
+    types: [labeled]
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Branch, tag, or SHA to build (e.g., main, v1.0.0, abc123)'
+        required: false
+        default: ''
+      GIT_SHA:
+        description: 'Git SHA to build (deprecated - use ref instead)'
+        required: false
+      FEATURES:
+        description: 'Cargo features to enable'
+        required: false
+      PROFILE:
+        description: 'Cargo build profile'
+        required: false
+        default: 'release'
+
+# Add permissions block to ensure the workflow has access to packages
+permissions:
+  contents: read
+  packages: write
+  id-token: write  # Needed for OIDC authentication to ghcr.io
+
+jobs:
+  build:
+    runs-on: buildjet-16vcpu-ubuntu-2204
+    # Only run if it's not a PR event, or if it's a PR with the movement-docker-build label
+    if: |
+      github.event_name != 'pull_request' || 
+      (github.event_name == 'pull_request' && github.event.label.name == 'movement-docker-build')
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Fetch all history
+          # For PRs, checkout the PR branch; for manual triggers use provided ref; otherwise use github.ref
+          ref: ${{ github.event.pull_request.head.sha || github.event.inputs.ref || github.event.inputs.GIT_SHA || github.ref }}
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Build and Push Images
+        run: |
+          # Use the original working approach from ci/build branch
+          export TARGET_CACHE_ID=${GITHUB_REF#refs/heads/}
+          
+          # Set registry variables for GitHub Container Registry only
+          export GCP_DOCKER_ARTIFACT_REPO=""  # Not using GCP
+          export AWS_ECR_ACCOUNT_NUM=""  # Not using AWS
+          export TARGET_REGISTRY="local"  # This triggers ghcr.io usage in generate_tags
+          
+          # GitHub Container Registry configuration
+          export GHCR_ORG="movementlabsxyz"
+          export PROFILE=${{ github.event.inputs.PROFILE || 'release' }}
+          export FEATURES="${{ github.event.inputs.FEATURES }}"
+          export CARGO_TARGET_DIR="target/${FEATURES:-default}"
+          
+          # Show build configuration
+          echo "Building with:"
+          echo "  TARGET_CACHE_ID: $TARGET_CACHE_ID"
+          echo "  PROFILE: $PROFILE"
+          echo "  FEATURES: $FEATURES"
+          echo "  Git SHA: $(git rev-parse HEAD)"
+          echo "  Event: ${{ github.event_name }}"
+          
+          docker/builder/docker-bake-rust-all.sh 
\ No newline at end of file
diff --git a/docker/builder/build-indexer.sh b/docker/builder/build-indexer.sh
index 9152cc6661210..1427c300a846d 100755
--- a/docker/builder/build-indexer.sh
+++ b/docker/builder/build-indexer.sh
@@ -10,23 +10,11 @@ echo "PROFILE: $PROFILE"
 
 echo "CARGO_TARGET_DIR: $CARGO_TARGET_DIR"
 
-# Build all the rust binaries
-cargo build --locked --profile=$PROFILE \
-    -p aptos-indexer-grpc-cache-worker \
-    -p aptos-indexer-grpc-file-store \
-    -p aptos-indexer-grpc-data-service \
-    -p aptos-nft-metadata-crawler-parser \
-    -p aptos-indexer-grpc-in-memory-cache-benchmark \
-    "$@"
+# Build all the rust binaries - indexer-grpc components removed as not needed
+echo "No indexer binaries to build - skipping cargo build"
 
 # After building, copy the binaries we need to `dist` since the `target` directory is used as docker cache mount and only available during the RUN step
-BINS=(
-    aptos-indexer-grpc-cache-worker
-    aptos-indexer-grpc-file-store
-    aptos-indexer-grpc-data-service
-    aptos-nft-metadata-crawler-parser
-    aptos-indexer-grpc-in-memory-cache-benchmark
-)
+BINS=()
 
 mkdir dist
 
diff --git a/docker/builder/build-tools.sh b/docker/builder/build-tools.sh
index 4353994aec648..834af44c0db13 100755
--- a/docker/builder/build-tools.sh
+++ b/docker/builder/build-tools.sh
@@ -11,14 +11,13 @@ echo "CARGO_TARGET_DIR: $CARGO_TARGET_DIR"
 
 # Build all the rust binaries
 cargo build --locked --profile=$PROFILE \
-    -p aptos \
+    -p movement \
     -p aptos-backup-cli \
     -p aptos-faucet-service \
     -p aptos-fn-check-client \
     -p aptos-node-checker \
     -p aptos-openapi-spec-generator \
     -p aptos-telemetry-service \
-    -p aptos-keyless-pepper-service \
     -p aptos-debugger \
     -p aptos-transaction-emitter \
     -p aptos-api-tester \
@@ -26,12 +25,11 @@ cargo build --locked --profile=$PROFILE \
 
 # After building, copy the binaries we need to `dist` since the `target` directory is used as docker cache mount and only available during the RUN step
 BINS=(
-    aptos
+    movement
     aptos-faucet-service
     aptos-node-checker
     aptos-openapi-spec-generator
     aptos-telemetry-service
-    aptos-keyless-pepper-service
     aptos-fn-check-client
     aptos-debugger
     aptos-transaction-emitter
diff --git a/docker/builder/docker-bake-rust-all.hcl b/docker/builder/docker-bake-rust-all.hcl
index fed87ea776b87..c9fe520e14e85 100644
--- a/docker/builder/docker-bake-rust-all.hcl
+++ b/docker/builder/docker-bake-rust-all.hcl
@@ -24,6 +24,8 @@ variable "GCP_DOCKER_ARTIFACT_REPO" {}
 
 variable "AWS_ECR_ACCOUNT_NUM" {}
 
+variable "GHCR_ORG" {}
+
 variable "TARGET_REGISTRY" {
   // must be "gcp" | "local" | "remote-all" | "remote" (deprecated, but kept for backwards compatibility. Same as "gcp"), informs which docker tags are being generated
   default = CI == "true" ? "remote" : "local"
@@ -54,10 +56,7 @@ group "all" {
     "faucet",
     "forge",
     "telemetry-service",
-    "keyless-pepper-service",
-    "indexer-grpc",
     "validator-testing",
-    "nft-metadata-crawler",
   ])
 }
 
@@ -203,26 +202,8 @@ target "telemetry-service" {
   tags       = generate_tags("telemetry-service")
 }
 
-target "keyless-pepper-service" {
-  inherits   = ["_common"]
-  dockerfile = "docker/builder/keyless-pepper-service.Dockerfile"
-  target     = "keyless-pepper-service"
-  tags       = generate_tags("keyless-pepper-service")
-}
 
-target "indexer-grpc" {
-  inherits   = ["_common"]
-  dockerfile = "docker/builder/indexer-grpc.Dockerfile"
-  target     = "indexer-grpc"
-  tags       = generate_tags("indexer-grpc")
-}
 
-target "nft-metadata-crawler" {
-  inherits   = ["_common"]
-  target     = "nft-metadata-crawler"
-  dockerfile = "docker/builder/nft-metadata-crawler.Dockerfile"
-  tags       = generate_tags("nft-metadata-crawler")
-}
 
 function "generate_tags" {
   params = [target]
@@ -235,9 +216,9 @@ function "generate_tags" {
     TARGET_REGISTRY == "gcp" || TARGET_REGISTRY == "remote" ? [
       "${GCP_DOCKER_ARTIFACT_REPO}/${target}:${IMAGE_TAG_PREFIX}${GIT_SHA}",
       "${GCP_DOCKER_ARTIFACT_REPO}/${target}:${IMAGE_TAG_PREFIX}${NORMALIZED_GIT_BRANCH_OR_PR}",
-      ] : [ // "local" or any other value
-      "aptos-core/${target}:${IMAGE_TAG_PREFIX}${GIT_SHA}-from-local",
-      "aptos-core/${target}:${IMAGE_TAG_PREFIX}from-local",
+      ] : [ // Use GitHub Container Registry for local/default builds
+      "ghcr.io/${GHCR_ORG}/${target}:${IMAGE_TAG_PREFIX}${GIT_SHA}",
+      "ghcr.io/${GHCR_ORG}/${target}:${IMAGE_TAG_PREFIX}${NORMALIZED_GIT_BRANCH_OR_PR}",
     ]
   )
 }
diff --git a/docker/builder/tools.Dockerfile b/docker/builder/tools.Dockerfile
index a62e67e099f0c..efbe872e0ecf4 100644
--- a/docker/builder/tools.Dockerfile
+++ b/docker/builder/tools.Dockerfile
@@ -6,12 +6,12 @@ RUN echo "deb http://deb.debian.org/debian bullseye main" > /etc/apt/sources.lis
 
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    apt-get update && apt-get --no-install-recommends --allow-downgrades -y \
+    apt-get update && apt-get --no-install-recommends -y \
     install \
     wget \
     curl \
-    perl-base=5.32.1-4+deb11u1 \
-    libtinfo6=6.2+20201114-2+deb11u2 \
+    perl-base \
+    libtinfo6 \
     git \
     libssl1.1 \
     ca-certificates \
@@ -33,7 +33,7 @@ RUN wget https://storage.googleapis.com/pub/gsutil.tar.gz -O- | tar --gzip --dir
 RUN cd /usr/local/bin && wget "https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kubectl" -O kubectl && chmod +x kubectl
 
 COPY --link --from=tools-builder /aptos/dist/aptos-debugger /usr/local/bin/aptos-debugger
-COPY --link --from=tools-builder /aptos/dist/aptos /usr/local/bin/aptos
+COPY --link --from=tools-builder /aptos/dist/movement /usr/local/bin/movement
 COPY --link --from=tools-builder /aptos/dist/aptos-openapi-spec-generator /usr/local/bin/aptos-openapi-spec-generator
 COPY --link --from=tools-builder /aptos/dist/aptos-fn-check-client /usr/local/bin/aptos-fn-check-client
 COPY --link --from=tools-builder /aptos/dist/aptos-transaction-emitter /usr/local/bin/aptos-transaction-emitter