diff --git a/.tekton/cli-v08-push.yaml b/.tekton/cli-v08-push.yaml
index 590546c09..c5bbd450b 100644
--- a/.tekton/cli-v08-push.yaml
+++ b/.tekton/cli-v08-push.yaml
@@ -2,6 +2,7 @@ apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   annotations:
+    build.appstudio.openshift.io/build-nudge-files: "Dockerfile.cli-stack.rh"
     build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
diff --git a/.tekton/conforma-cli-stack-pull-request.yaml b/.tekton/conforma-cli-stack-pull-request.yaml
new file mode 100644
index 000000000..b69a0f242
--- /dev/null
+++ b/.tekton/conforma-cli-stack-pull-request.yaml
@@ -0,0 +1,54 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
+      == "release-v0.8"
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: cli-stacks
+    appstudio.openshift.io/component: conforma-cli-stack
+    pipelines.appstudio.openshift.io/type: build
+  name: conforma-cli-stack-on-pull-request
+  namespace: rhtas-tenant
+spec:
+  params:
+  - name: release-version
+    value: 1.4.0
+  - name: dockerfile
+    value: Dockerfile.cli-stack.rh
+  - name: git-url
+    value: '{{repo_url}}'
+  - name: image-expires-after
+    value: 5d
+  - name: output-image
+    value: quay.io/securesign/conforma-cli-stack:on-pr-{{revision}}
+  - name: path-context
+    value: .
+  - name: revision
+    value: '{{revision}}'
+  - name: hermetic
+    value: "true"
+  - name: build-source-image
+    value: "true"
+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/securesign/pipelines.git
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/docker-build-oci-ta.yaml
+    resolver: git
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-conforma-cli-stack
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
diff --git a/.tekton/conforma-cli-stack-push.yaml b/.tekton/conforma-cli-stack-push.yaml
new file mode 100644
index 000000000..b10b5db0b
--- /dev/null
+++ b/.tekton/conforma-cli-stack-push.yaml
@@ -0,0 +1,51 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
+      == "release-v0.8"
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: cli-stacks
+    appstudio.openshift.io/component: conforma-cli-stack
+    pipelines.appstudio.openshift.io/type: build
+  name: conforma-cli-stack-on-push
+  namespace: rhtas-tenant
+spec:
+  params:
+  - name: release-version
+    value: 1.4.0
+  - name: dockerfile
+    value: Dockerfile.cli-stack.rh
+  - name: git-url
+    value: '{{repo_url}}'
+  - name: output-image
+    value: quay.io/securesign/conforma-cli-stack:{{revision}}
+  - name: path-context
+    value: .
+  - name: revision
+    value: '{{revision}}'
+  - name: hermetic
+    value: "true"
+  - name: build-source-image
+    value: "true"
+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/securesign/pipelines.git
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/docker-build-oci-ta.yaml
+    resolver: git
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-conforma-cli-stack
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
diff --git a/Dockerfile.cli-stack.rh b/Dockerfile.cli-stack.rh
new file mode 100644
index 000000000..17270c810
--- /dev/null
+++ b/Dockerfile.cli-stack.rh
@@ -0,0 +1,86 @@
+# Copyright The Conforma Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+## Build
+
+FROM --platform=linux/amd64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:7d2ecffad4cee873caee676eda74c5acd6254e64bbca8280b1d69f0806426999 AS build-amd64
+FROM --platform=linux/arm64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:9f39e82fd59f414bc26207d18588c5ffbf8c9c0ca00e81e68f80f2c39db01657 AS build-arm64
+FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:2e385572d9cc508288e5a4cc7a44c22de4266be860e725a7795d4402db1314c0 AS build-ppc64le
+FROM --platform=linux/s390x   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:e725abfa91aa21d28d2ae5b5c5fa5544bcd3998b48c18d268d981c1ad51d3f1f AS build-s390x
+
+# Use "build" to avoid an error from the version checker in 
+# https://github.com/conforma/github-workflows/tree/main/golang-version-check
+FROM registry.access.redhat.com/ubi9/go-toolset:1.25.3@sha256:e8938564f866174a6d79e55dfe577c2ed184b1f53e91d782173fb69b07ce69ef AS build
+USER root
+RUN mkdir -p /binaries
+
+# Native Linux binaries from each arch variant
+COPY --from=build-amd64 /usr/local/bin/ec_linux_amd64.gz /tmp/ec_linux_amd64.gz
+RUN gzip -d /tmp/ec_linux_amd64.gz && \
+    tar -czf /binaries/ec_linux_amd64.tar.gz -C /tmp ec_linux_amd64 && \
+    rm /tmp/ec_linux_amd64
+
+COPY --from=build-arm64 /usr/local/bin/ec_linux_arm64.gz /tmp/ec_linux_arm64.gz
+RUN gzip -d /tmp/ec_linux_arm64.gz && \
+    tar -czf /binaries/ec_linux_arm64.tar.gz -C /tmp ec_linux_arm64 && \
+    rm /tmp/ec_linux_arm64
+
+COPY --from=build-ppc64le /usr/local/bin/ec_linux_ppc64le.gz /tmp/ec_linux_ppc64le.gz
+RUN gzip -d /tmp/ec_linux_ppc64le.gz && \
+    tar -czf /binaries/ec_linux_ppc64le.tar.gz -C /tmp ec_linux_ppc64le && \
+    rm /tmp/ec_linux_ppc64le
+
+COPY --from=build-s390x /usr/local/bin/ec_linux_s390x.gz /tmp/ec_linux_s390x.gz
+RUN gzip -d /tmp/ec_linux_s390x.gz && \
+    tar -czf /binaries/ec_linux_s390x.tar.gz -C /tmp ec_linux_s390x && \
+    rm /tmp/ec_linux_s390x
+
+# Cross-compiled binaries (same across all variants, taken from amd64)
+# Darwin amd64
+COPY --from=build-amd64 /usr/local/bin/ec_darwin_amd64.gz /tmp/ec_darwin_amd64.gz
+RUN gzip -d /tmp/ec_darwin_amd64.gz && \
+    tar -czf /binaries/ec_darwin_amd64.tar.gz -C /tmp ec_darwin_amd64 && \
+    rm /tmp/ec_darwin_amd64
+
+# Darwin arm64
+COPY --from=build-amd64 /usr/local/bin/ec_darwin_arm64.gz /tmp/ec_darwin_arm64.gz
+RUN gzip -d /tmp/ec_darwin_arm64.gz && \
+    tar -czf /binaries/ec_darwin_arm64.tar.gz -C /tmp ec_darwin_arm64 && \
+    rm /tmp/ec_darwin_arm64
+
+# Windows amd64
+COPY --from=build-amd64 /usr/local/bin/ec_windows_amd64.exe.gz /tmp/ec_windows_amd64.exe.gz
+RUN gzip -d /tmp/ec_windows_amd64.exe.gz && \
+    tar -czf /binaries/ec_windows_amd64.tar.gz -C /tmp ec_windows_amd64.exe && \
+    rm /tmp/ec_windows_amd64.exe
+
+# Final minimal image with all binaries
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183
+
+LABEL description="Flat image containing Conforma CLI binaries for all platforms and architectures"
+LABEL io.k8s.description="Flat image containing Conforma CLI binaries for all platforms and architectures"
+LABEL io.opencontainers.image.description="Flat image containing Conforma CLI binaries for all platforms and architectures"
+LABEL io.k8s.display-name="Conforma CLI stack image for Red Hat Trusted Artifact Signer"
+LABEL io.openshift.tags="conforma trusted-artifact-signer cli-stack"
+LABEL summary="Provides Conforma CLI binaries as tar.gz archives for CDN distribution."
+LABEL com.redhat.component="conforma-cli-stack"
+
+COPY --from=build /binaries/ /binaries/
+COPY --from=build-amd64 /licenses/ /licenses/
+
+RUN chown -R root:0 /binaries && chmod -R g+r /binaries
+
+USER 65532:65532