diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ff99fc6..4750b82 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -320,6 +320,7 @@ jobs:
         run: |
           cd infra/apps/overlays/dev
           kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}
 
       - name: Update api image tag
         if: needs.build-and-push-api.result == 'success'
diff --git a/api/Dockerfile b/api/Dockerfile
index 8eef88d..e271e94 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -1,3 +1,5 @@
+# Stage 1: Build dependencies
+# Build context is the repo root.  Paths below are relative to the root.
 FROM python:3.12-slim AS build
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -6,18 +8,21 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
-COPY pyproject.toml ./
-COPY src/ ./src/
+COPY api/pyproject.toml ./
+COPY api/src/ ./src/
 RUN pip install --no-cache-dir --prefix=/install .
 
+# Stage 2: Production image
 FROM python:3.12-slim AS prod
 
+RUN apt-get update && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 RUN adduser --system --group --uid 1000 app
 COPY --from=build /install /usr/local
-COPY src/ ./src/
-COPY alembic.ini ./
-COPY alembic/ ./alembic/
+COPY api/src/ ./src/
+COPY api/alembic.ini ./
+COPY api/alembic/ ./alembic/
 
 USER 1000
 EXPOSE 8000