diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
index f7aaeb4..edf20bc 100644
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -14,10 +14,8 @@ permissions:
 jobs:
 
   # Build default priviliged container image version
-  # We make it need the other jobs, so this comes last and becomes the "latest"
   docker-root:
     runs-on: ubuntu-latest
-    needs: [docker-nonroot]
     steps:
       - name: Check out the repo
         uses: actions/checkout@v3
@@ -77,7 +75,12 @@ jobs:
         uses: docker/metadata-action@v4
         with:
           images: ghcr.io/${{ github.repository }}
-          tags: type=ref,event=tag,suffix=-nonroot
+          # no "latest" tag for non-root variant
+          flavor: latest=false
+          tags: |
+            type=ref,event=tag,suffix=-nonroot
+            # set latest-nonroot tag for default branch
+            type=raw,value=latest-nonroot
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v4
diff --git a/deploy/docker-compose.nonroot.yml b/deploy/docker-compose.nonroot.yml
index 75ec1a4..a85e0bd 100644
--- a/deploy/docker-compose.nonroot.yml
+++ b/deploy/docker-compose.nonroot.yml
@@ -10,7 +10,7 @@
 version: "3"
 services:
   timetagger:
-    image: ghcr.io/almarklein/timetagger:v23.9.2-nonroot
+    image: ghcr.io/almarklein/timetagger:latest-nonroot
     ports:
       - "80:80"
     volumes: