diff --git a/.circleci/config.yml b/.circleci/config.yml
index 645b031a2..d068a5c67 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -760,7 +760,6 @@ workflows:
       - build:
           name: build-chrony
           container-image: chrony
-          scan: true
       - build-cilium-envoy:
           version: ad831bdec4c93feeb2378aa9e1847c936ada6ef7
       - build-cilium-image-tools:
@@ -824,7 +823,6 @@ workflows:
       - build:
           name: build-external-dns
           container-image: external-dns
-          scan: true
       - buildx:
           name: build-golang-1.20-focal
           container-image: golang
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index bd7a1eacb..65c1bbdbb 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -9,15 +9,31 @@ jobs:
     strategy:
       matrix:
         job:
+          - dir: "./argocd-image-updater"
+            container-image: "argocd-image-updater"
+            scan: "true"
           - dir: "./bird"
             container-image: "bird"
             scan: "true"
+          - dir: "./bpf-map-pressure-exporter"
+            container-image: "bpf-map-pressure-exporter"
+            scan: "true"
+            make_test: true
+          - dir: "./chrony"
+            container-image: "chrony"
+            scan: "true"
+          - dir: "./contour"
+            container-image: "contour"
+            scan: "true"
           - dir: "./coredns"
             container-image: "coredns"
             scan: "true"
           - dir: "./etcd"
             container-image: "etcd"
             scan: "true"
+          - dir: "./external-dns"
+            container-image: "external-dns"
+            scan: "true"
           - dir: "./fluent-bit"
             container-image: "fluent-bit"
             scan: "true"
@@ -48,6 +64,9 @@ jobs:
           - dir: "./pod-delete-rate-limiter"
             container-image: "pod-delete-rate-limiter"
             make_test: true
+          - dir: "./sealed-secrets"
+            container-image: "sealed-secrets"
+            scan: "true"
           - dir: "./serf"
             container-image: "serf"
             scan: "true"
@@ -70,13 +89,6 @@ jobs:
           - dir: "./vault"
             container-image: "vault"
             scan: "true"
-          - dir: "./bpf-map-pressure-exporter"
-            container-image: "bpf-map-pressure-exporter"
-            scan: "true"
-            make_test: true
-          - dir: "./argocd-image-updater"
-            container-image: "argocd-image-updater"
-            scan: "true"
 
     runs-on: ubuntu-22.04
     env:
diff --git a/bird/README.md b/bird/README.md
index 3c3985920..1d3107f6f 100644
--- a/bird/README.md
+++ b/bird/README.md
@@ -27,7 +27,7 @@ $ docker run -d --read-only --cap-drop ALL \
     --network host --name bird \
     --mount type=tmpfs,destination=/run/bird \
     --mount type=bind,source=/your/bird.conf,target=/etc/bird/bird.conf \
-    quay.io/cybozu/bird:2.14
+    ghcr.io/cybozu/bird:2.14
 ```
 
 ### Use client tools
@@ -73,4 +73,4 @@ Daemon is up and running
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/bird)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/bird)
diff --git a/chrony/Dockerfile b/chrony/Dockerfile
index d2e2fef82..d7ee32f02 100644
--- a/chrony/Dockerfile
+++ b/chrony/Dockerfile
@@ -1,7 +1,7 @@
 # chrony container
 
 # Stage1: build from source
-FROM quay.io/cybozu/ubuntu-dev:22.04 AS build
+FROM ghcr.io/cybozu/ubuntu-dev:22.04 AS build
 ARG CHRONY_VERSION=4.4
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -20,7 +20,7 @@ RUN ./configure --exec-prefix=/usr/local/chrony --with-pidfile=/run/chrony/chron
 
 
 # Stage2: setup runtime container
-FROM quay.io/cybozu/ubuntu:22.04
+FROM ghcr.io/cybozu/ubuntu:22.04
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends libedit2 \
diff --git a/chrony/README.md b/chrony/README.md
index be1b3ab6f..523736cd8 100644
--- a/chrony/README.md
+++ b/chrony/README.md
@@ -25,7 +25,7 @@ Usage
     --cap-drop ALL \
     --cap-add SYS_TIME \
     --cap-add NET_BIND_SERVICE \
-    quay.io/cybozu/chrony:4.4
+    ghcr.io/cybozu/chrony:4.4
     ```
 
 ### Use `chronyc`
@@ -39,4 +39,4 @@ $ docker exec -it chrony chronyc tracking
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/chrony)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/chrony)
diff --git a/chrony/TAG b/chrony/TAG
index 258acdf1a..32185f0c8 100644
--- a/chrony/TAG
+++ b/chrony/TAG
@@ -1 +1 @@
-4.4.0.1
+4.4.0.2
diff --git a/contour/Dockerfile b/contour/Dockerfile
index d0ba12499..c1e9770bc 100644
--- a/contour/Dockerfile
+++ b/contour/Dockerfile
@@ -1,7 +1,7 @@
 # Contour container image
 
 # Stage1: build from source
-FROM quay.io/cybozu/golang:1.21-jammy AS build
+FROM ghcr.io/cybozu/golang:1.21-jammy AS build
 
 ARG CONTOUR_VERSION=1.27.0
 
diff --git a/contour/README.md b/contour/README.md
index 20e1ad4ef..aa0f1ba8b 100644
--- a/contour/README.md
+++ b/contour/README.md
@@ -12,7 +12,7 @@ Run the container
 
 ```console
 $ docker run -d --read-only --name=contour \
-    quay.io/cybozu/contour:1.27.0 serve
+    ghcr.io/cybozu/contour:1.27.0 serve
 ```
 
 [Contour]: https://github.com/heptio/contour
@@ -20,4 +20,4 @@ $ docker run -d --read-only --name=contour \
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/contour)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/contour)
diff --git a/contour/TAG b/contour/TAG
index 866a646a3..f314bb850 100644
--- a/contour/TAG
+++ b/contour/TAG
@@ -1 +1 @@
-1.27.0.1
+1.27.0.2
diff --git a/external-dns/Dockerfile b/external-dns/Dockerfile
index 82ad0e7fa..077e36d8c 100644
--- a/external-dns/Dockerfile
+++ b/external-dns/Dockerfile
@@ -1,7 +1,7 @@
 # ExternalDNS container image
 
 # Stage1: build from source
-FROM quay.io/cybozu/golang:1.21-jammy AS build
+FROM ghcr.io/cybozu/golang:1.21-jammy AS build
 
 ARG EXTERNALDNS_VERSION=0.14.0
 
@@ -15,7 +15,7 @@ WORKDIR /work/external-dns/
 RUN make build
 
 # Stage2: setup runtime container
-FROM quay.io/cybozu/ubuntu:22.04
+FROM ghcr.io/cybozu/ubuntu:22.04
 
 COPY --from=build /work/external-dns/build/external-dns /usr/local/external-dns/bin/external-dns
 COPY --from=build /work/external-dns/LICENSE  /usr/local/external-dns/LICENSE
diff --git a/external-dns/README.md b/external-dns/README.md
index 3bbb66dc1..7b674b64b 100644
--- a/external-dns/README.md
+++ b/external-dns/README.md
@@ -13,7 +13,7 @@ Run the container
 
 ```console
 $ docker run -d --read-only --name=external-dns \
-    quay.io/cybozu/external-dns:0.14.0.1 \
+    ghcr.io/cybozu/external-dns:0.14.0.1 \
     --registry=txt --txt-owner-id ... --provider ...
 ```
 
@@ -22,4 +22,4 @@ $ docker run -d --read-only --name=external-dns \
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/external-dns)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/external-dns)
diff --git a/external-dns/TAG b/external-dns/TAG
index e54d09d4e..809263882 100644
--- a/external-dns/TAG
+++ b/external-dns/TAG
@@ -1 +1 @@
-0.14.0.1
+0.14.0.2
diff --git a/golang-all/golang-1.20-focal/README.md b/golang-all/golang-1.20-focal/README.md
index 35d4b643f..96b21e734 100644
--- a/golang-all/golang-1.20-focal/README.md
+++ b/golang-all/golang-1.20-focal/README.md
@@ -16,4 +16,4 @@ This container is based on [ghcr.io/cybozu/ubuntu-dev](https://ghcr.io/repositor
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/golang)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/golang)
diff --git a/golang-all/golang-1.20-jammy/README.md b/golang-all/golang-1.20-jammy/README.md
index 35d4b643f..96b21e734 100644
--- a/golang-all/golang-1.20-jammy/README.md
+++ b/golang-all/golang-1.20-jammy/README.md
@@ -16,4 +16,4 @@ This container is based on [ghcr.io/cybozu/ubuntu-dev](https://ghcr.io/repositor
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/golang)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/golang)
diff --git a/golang-all/golang-1.21-focal/README.md b/golang-all/golang-1.21-focal/README.md
index 35d4b643f..96b21e734 100644
--- a/golang-all/golang-1.21-focal/README.md
+++ b/golang-all/golang-1.21-focal/README.md
@@ -16,4 +16,4 @@ This container is based on [ghcr.io/cybozu/ubuntu-dev](https://ghcr.io/repositor
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/golang)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/golang)
diff --git a/golang-all/golang-1.21-jammy/README.md b/golang-all/golang-1.21-jammy/README.md
index 35d4b643f..96b21e734 100644
--- a/golang-all/golang-1.21-jammy/README.md
+++ b/golang-all/golang-1.21-jammy/README.md
@@ -16,4 +16,4 @@ This container is based on [ghcr.io/cybozu/ubuntu-dev](https://ghcr.io/repositor
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/golang)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/golang)
diff --git a/sealed-secrets/Dockerfile b/sealed-secrets/Dockerfile
index d91e165ad..a5473af1b 100644
--- a/sealed-secrets/Dockerfile
+++ b/sealed-secrets/Dockerfile
@@ -1,5 +1,5 @@
 # Build stage
-FROM quay.io/cybozu/golang:1.21-jammy AS build
+FROM ghcr.io/cybozu/golang:1.21-jammy AS build
 
 ARG SEALED_SECRETS_VERSION=0.24.3
 
diff --git a/sealed-secrets/README.md b/sealed-secrets/README.md
index a59fd9420..b05b9f27b 100644
--- a/sealed-secrets/README.md
+++ b/sealed-secrets/README.md
@@ -6,4 +6,4 @@ This directory provides a Dockerfile to build a Docker container for [sealed-sec
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/sealed-secrets)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/sealed-secrets)
diff --git a/sealed-secrets/TAG b/sealed-secrets/TAG
index 36af70825..963f8bde3 100644
--- a/sealed-secrets/TAG
+++ b/sealed-secrets/TAG
@@ -1 +1 @@
-0.24.3.1
+0.24.3.2
diff --git a/serf/README.md b/serf/README.md
index ab5468e8e..d15c7b5ae 100644
--- a/serf/README.md
+++ b/serf/README.md
@@ -26,7 +26,7 @@ To launch serf server by `docker run`:
     $ docker run -d --rm --read-only --name serf \
        --mount type=bind,source=/your/config,target=/serf/config \
        -p 7373:7373 -p 7946:7946 \
-       quay.io/cybozu/serf:0.10 \
+       ghcr.io/cybozu/serf:0.10 \
          agent -config-dir=/serf/config
 
 To use serf cli, first install it in a host OS directory `DIR`:
@@ -34,7 +34,7 @@ To use serf cli, first install it in a host OS directory `DIR`:
     $ docker run --rm -u root:root \
       --entrypoint /usr/local/serf/install-tools \
       --mount type=bind,source=DIR,target=/host \
-      quay.io/cybozu/serf:0.10
+      ghcr.io/cybozu/serf:0.10
 
 Then run `serf` as follows:
 
@@ -43,4 +43,4 @@ Then run `serf` as follows:
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/serf)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/serf)
diff --git a/squid/README.md b/squid/README.md
index 9a2d9d266..d6a9d83fc 100644
--- a/squid/README.md
+++ b/squid/README.md
@@ -6,14 +6,14 @@
 
 ### Run with the default configuration
 
-    $ docker run -d --read-only quay.io/cybozu/squid:6
+    $ docker run -d --read-only ghcr.io/cybozu/squid:6
 ### Launch Squid with specific config file
 
 Prepare `squid.conf`, then execute following command.
 
     $  docker run -d --read-only \
         -v /path/to/your/squid.conf:/etc/squid/squid.conf:ro \
-        quay.io/cybozu/squid:6
+        ghcr.io/cybozu/squid:6
 
 Your `squid.conf` must have the following configurations:
 
@@ -24,4 +24,4 @@ Your `squid.conf` must have the following configurations:
 
 ## Docker images
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/squid)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/squid)
diff --git a/unbound/README.md b/unbound/README.md
index eaad7baca..9f858b642 100644
--- a/unbound/README.md
+++ b/unbound/README.md
@@ -9,8 +9,8 @@
 Prepare config file `unbound.conf` at working directory, then execute following command.
 
     $  docker run --mount type=bind,source="$(pwd)"/unbound.conf,target=/etc/unbound.conf \
-        quay.io/cybozu/unbound:1.18 -c /etc/unbound.conf
+        ghcr.io/cybozu/unbound:1.18 -c /etc/unbound.conf
  
 ## Docker images
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/unbound)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/unbound)
diff --git a/vault/README.md b/vault/README.md
index 373a79470..47e28ec13 100644
--- a/vault/README.md
+++ b/vault/README.md
@@ -41,4 +41,4 @@ Then run `vault` as follows:
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/vault)
+Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/vault)