diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index dd8254c..da665a3 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -18,23 +18,23 @@ jobs:
     strategy:
       matrix:
         version:
-          - '5.0'
           - '5.1'
           - '5.2'
           - '5.3'
           - '5.4'
+          - '5.5'
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: docker/setup-buildx-action@v2
-      - uses: docker/setup-qemu-action@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       - name: Docker login
-        uses: docker/login-action@v2
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ github.token }}
-      - uses: docker/build-push-action@v3
+      - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           push: true
           pull: true
diff --git a/5.5/Dockerfile b/5.5/Dockerfile
new file mode 100644
index 0000000..cf31041
--- /dev/null
+++ b/5.5/Dockerfile
@@ -0,0 +1,52 @@
+FROM debian:11-slim
+
+ENV EMQX_VERSION=5.5.0
+ENV AMD64_SHA256=31af6514bcd30cab68272e1ff9553f652520cf82afed8894b3c4fe0fae55da88
+ENV ARM64_SHA256=45f46c99ae9561aac13b25f909df6ac1f971d4ce4aa594ff3711a1c95e8d9d9e
+ENV LC_ALL=C.UTF-8 LANG=C.UTF-8
+
+RUN set -eu; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends ca-certificates procps curl; \
+    arch=$(dpkg --print-architecture); \
+    if [ ${arch} = "amd64" ]; then sha256="$AMD64_SHA256"; fi; \
+    if [ ${arch} = "arm64" ]; then sha256="$ARM64_SHA256"; fi; \
+    ID="$(sed -n '/^ID=/p' /etc/os-release | sed -r 's/ID=(.*)/\1/g' | sed 's/\"//g')"; \
+    VERSION_ID="$(sed -n '/^VERSION_ID=/p' /etc/os-release | sed -r 's/VERSION_ID=(.*)/\1/g' | sed 's/\"//g')"; \
+    pkg="emqx-${EMQX_VERSION}-${ID}${VERSION_ID}-${arch}.tar.gz"; \
+    curl -f -O -L https://www.emqx.com/en/downloads/broker/v${EMQX_VERSION}/${pkg}; \
+    echo "$sha256 *$pkg" | sha256sum -c; \
+    mkdir /opt/emqx; \
+    tar zxf $pkg -C /opt/emqx; \
+    find /opt/emqx -name 'swagger*.js.map' -exec rm {} +; \
+    groupadd -r -g 1000 emqx; \
+    useradd -r -m -u 1000 -g emqx emqx; \
+    chgrp -Rf emqx /opt/emqx; \
+    chmod -Rf g+w /opt/emqx; \
+    chown -Rf emqx /opt/emqx; \
+    ln -s /opt/emqx/bin/* /usr/local/bin/; \
+    rm -f $pkg; \
+    apt-get purge -y --auto-remove curl; \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt/emqx
+
+USER emqx
+
+VOLUME ["/opt/emqx/log", "/opt/emqx/data"]
+
+# emqx will occupy these port:
+# - 1883 port for MQTT
+# - 8083 for WebSocket/HTTP
+# - 8084 for WSS/HTTPS
+# - 8883 port for MQTT(SSL)
+# - 18083 for dashboard and API
+# - 4370 default Erlang distribution port
+# - 5369 for backplain gen_rpc
+EXPOSE 1883 8083 8084 8883 18083 4370 5369
+
+COPY docker-entrypoint.sh /usr/bin/
+
+ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"]
+
+CMD ["/opt/emqx/bin/emqx", "foreground"]
diff --git a/5.5/docker-entrypoint.sh b/5.5/docker-entrypoint.sh
new file mode 100755
index 0000000..8e96a6b
--- /dev/null
+++ b/5.5/docker-entrypoint.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+## Shell setting
+if [[ -n "$DEBUG" ]]; then
+    set -ex
+else
+    set -e
+fi
+
+shopt -s nullglob
+
+## Local IP address setting
+
+LOCAL_IP=$(hostname -i | grep -oE '((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])' | head -n 1)
+
+export EMQX_NAME="${EMQX_NAME:-emqx}"
+
+if [[ -z "$EMQX_HOST" ]]; then
+    if [[ "$EMQX_CLUSTER__DISCOVERY_STRATEGY" == "dns" ]] && \
+        [[ "$EMQX_CLUSTER__DNS__RECORD_TYPE" == "srv" ]] && \
+        grep -q "$(hostname).$EMQX_CLUSTER__DNS__NAME" /etc/hosts; then
+            EMQX_HOST="$(hostname).$EMQX_CLUSTER__DNS__NAME"
+    elif [[ "$EMQX_CLUSTER__DISCOVERY_STRATEGY" == "k8s" ]] && \
+        [[ "$EMQX_CLUSTER__K8S__ADDRESS_TYPE" == "dns" ]] && \
+        [[ -n "$EMQX_CLUSTER__K8S__NAMESPACE" ]]; then
+            EMQX_CLUSTER__K8S__SUFFIX=${EMQX_CLUSTER__K8S__SUFFIX:-"pod.cluster.local"}
+            EMQX_HOST="${LOCAL_IP//./-}.$EMQX_CLUSTER__K8S__NAMESPACE.$EMQX_CLUSTER__K8S__SUFFIX"
+    elif [[ "$EMQX_CLUSTER__DISCOVERY_STRATEGY" == "k8s" ]] && \
+        [[ "$EMQX_CLUSTER__K8S__ADDRESS_TYPE" == 'hostname' ]] && \
+        [[ -n "$EMQX_CLUSTER__K8S__NAMESPACE" ]]; then
+            EMQX_CLUSTER__K8S__SUFFIX=${EMQX_CLUSTER__K8S__SUFFIX:-'svc.cluster.local'}
+            EMQX_HOST=$(grep -h "^$LOCAL_IP" /etc/hosts | grep -o "$(hostname).*.$EMQX_CLUSTER__K8S__NAMESPACE.$EMQX_CLUSTER__K8S__SUFFIX")
+    else
+        EMQX_HOST="$LOCAL_IP"
+    fi
+    export EMQX_HOST
+fi
+
+if [[ -z "$EMQX_NODE_NAME" ]]; then
+    export EMQX_NODE_NAME="$EMQX_NAME@$EMQX_HOST"
+fi
+
+# The default rpc port discovery 'stateless' is mostly for clusters
+# having static node names. So it's troulbe-free for multiple emqx nodes
+# running on the same host.
+# When start emqx in docker, it's mostly one emqx node in one container
+# i.e. use port 5369 (or per tcp_server_port | ssl_server_port config) for gen_rpc
+export EMQX_RPC__PORT_DISCOVERY="${EMQX_RPC__PORT_DISCOVERY:-manual}"
+
+exec "$@"