diff --git a/.github/workflows/changesets_release.yml b/.github/workflows/changesets_release.yml
index a885ecd3a9..ee3f78a33b 100644
--- a/.github/workflows/changesets_release.yml
+++ b/.github/workflows/changesets_release.yml
@@ -43,7 +43,7 @@ jobs:
           publish: pnpm ci:publish
           title: 'chore: publish new package versions'
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.OLEKSII_PAT_TOKEN_FOR_DOCKERHUB_RELEASE_WORKFLOW }}
           HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
       - name: Add latest tag to published packages
         if: steps.changesets.outputs.published == 'true'
diff --git a/.github/workflows/sync_service_dockerhub_image.yml b/.github/workflows/sync_service_dockerhub_image.yml
index 494c9499fd..a1f31c3550 100644
--- a/.github/workflows/sync_service_dockerhub_image.yml
+++ b/.github/workflows/sync_service_dockerhub_image.yml
@@ -4,7 +4,13 @@ on:
   push:
     branches: ['main']
   release:
-    released:
+    types: [released]
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'The @core/sync-service@... tag to run for (e.g. @core/sync-service@v1.2.10)'
+        required: true
+        type: string
 
 jobs:
   derive_build_vars:
@@ -17,11 +23,20 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          # It is crucial that we checkout the actual HEAD commit of the branch instead of
-          # GitHub's ephemeral merge commit that it creates for CI runs by default.
-          # We rely on the correct HEAD commit to be checked out in order to determine the
-          # correct ELECTRIC_VERSION to bake into the Docker image.
-          ref: ${{ github.event.pull_request.head.sha }}
+          # The checked out commit influences the value of the ELECTRIC_VERSION variable
+          # that is baked into the Docker image.
+          #
+          # For regular pushes to main, we check out the HEAD commit and publish canary images.
+          #
+          # For releases we check out the tag corresponding to the release, e.g.
+          # @core/sync-service@v1.2.10.
+          #
+          # For manual triggers via workflow_dispatch, we check out the tag specified manually
+          # by the actor.
+          ref: ${{
+            github.event_name == 'release' && format('refs/tags/{0}', github.event.release.tag_name) ||
+            github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.release_tag) ||
+            github.sha }}
           # Also important to fetch the whole history since otherwise we won't get that tags
           # that are required to determine the correct ELECTRIC_VERSION.
           fetch-depth: 0