diff --git a/support/docker b/support/docker
index e80cdd82562d3f1e5d0ceb0d8d51a6e403644236..a8b785d49fbb0649002fc73d9a436d707fd96f07 100755
--- a/support/docker
+++ b/support/docker
@@ -23,18 +23,28 @@ case "$1" in
     ci-build-if-necessary)
         dependency_sha=$(cat support/bootstrap support/bootstrap-common.sh Dockerfile packages_ubuntu.txt .tool-versions | sha256sum | cut -d ' ' -f 1)
         cache_image="${DEFAULT_IMAGE_WITHOUT_TAG}:${dependency_sha}"
+        destinations="--tag ${cache_image} --tag ${DEFAULT_BRANCH_IMAGE}"
+        bootstrapped_image="${CI_REGISTRY_IMAGE}/asdf-bootstrapped-verify"
+
+        if [ "$DEFAULT_BRANCH_IMAGE" == "${bootstrapped_image}:main" ]; then
+          # We push verify image from main branch to separate path and tag with commit sha so we are able to properly
+          #   pin image versions in 'gitlab' canonical project
+          # Separate path allows to create specific cleanup policy as well as allow dependency updaters to not be confused
+          #   by branch specific tags
+          destinations="${destinations} --tag ${bootstrapped_image}/main:${CI_COMMIT_SHA} --tag ${bootstrapped_image}/main:latest"
+        fi
 
         # We use the cache from the image with the same shasum first.
         # If it doesn't exist, we use the cache from the branch image.
         # If it doesn't exist, we use the cache from the `main` image.
+        # shellcheck disable=SC2086
         docker buildx build \
           --provenance=false \
           --cache-to=type=inline \
           --cache-from="${cache_image}" \
           --cache-from="${DEFAULT_BRANCH_IMAGE}" \
           --cache-from="${DEFAULT_MAIN_IMAGE}" \
-          --tag "${cache_image}" \
-          --tag "${DEFAULT_BRANCH_IMAGE}" \
+          ${destinations} \
           --push \
           .
         ;;