diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..1227ae1
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,69 @@
+name: CI
+
+"on":
+  merge_group: {}
+  pull_request:
+    branches:
+      - "tickets/*"
+  push:
+    branches-ignore:
+      # These should always correspond to pull requests, so ignore them for
+      # the push trigger and let them be triggered by the pull_request
+      # trigger, avoiding running the workflow twice.  This is a minor
+      # optimization so there's no need to ensure this is comprehensive.
+      - "dependabot/**"
+      - "gh-readonly-queue/**"
+      - "renovate/**"
+    tags:
+      - "*"
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    # Only do Docker builds of tagged releases and pull requests from ticket
+    # branches.  This will still trigger on pull requests from untrusted
+    # repositories whose branch names match our tickets/* branch convention,
+    # but in this case the build will fail with an error since the secret
+    # won't be set.
+    # if: >
+    #   startsWith(github.ref, 'refs/tags/')
+    #   || startsWith(github.head_ref, 'tickets/')
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      
+      - uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+
+      - name: Define the Docker tag
+        id: vars
+        run: echo ::set-output name=tag::$(scripts/docker-tag.sh)
+
+      - name: Print the tag
+        id: print
+        run: echo ${{ steps.vars.outputs.tag }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Build
+        run: make all
+        env:
+          DOCKER_ORG: "lsst-sqre"
+          DOCKER_REGISTRY: "ghcr.io"
+          DOCKER_TAG: ${{ steps.vars.outputs.tag }}
+          PROJECT_NAME: "strimzi-access-operator"
diff --git a/scripts/docker-tag.sh b/scripts/docker-tag.sh
new file mode 100755
index 0000000..1e67e78
--- /dev/null
+++ b/scripts/docker-tag.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Determine the tag for Docker images based on GitHub Actions environment
+# variables.
+
+set -eo pipefail
+
+# For push events
+echo ${GITHUB_REF} | sed -E 's,refs/(heads|tags)/,,' | sed -E 's,/,-,g'