diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000..3057f735
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,77 @@
+name: ci
+
+on:
+  push:
+    tags:
+      - 'gh-v*.*.*'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Prepare
+        id: prep
+        run: |
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            VERSION=${GITHUB_REF#refs/tags/}
+            if [[ $VERSION =~ ^gh-v([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$ ]]; then
+               MAJOR="${BASH_REMATCH[1]}"
+               MINOR="${BASH_REMATCH[2]}"
+               PATCH="${BASH_REMATCH[3]}"
+
+               TAGS="${{ secrets.DOCKER_IMAGE }}:latest"
+               TAGS="${TAGS},${{ secrets.DOCKER_IMAGE }}:${MAJOR}"
+               TAGS="${TAGS},${{ secrets.DOCKER_IMAGE }}:${MAJOR}.${MINOR}"
+               TAGS="${TAGS},${{ secrets.DOCKER_IMAGE }}:${MAJOR}.${MINOR}.${PATCH}"
+            else
+               TAGS="${{ secrets.DOCKER_IMAGE }}:${VERSION}"
+            fi
+          elif [[ $GITHUB_REF == refs/heads/* ]]; then
+            VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
+            if [ "${{ github.event.repository.default_branch }}" = "$VERSION" ]; then
+              VERSION=edge
+            fi
+            TAGS="${{ secrets.DOCKER_IMAGE }}:${VERSION}"
+          elif [[ $GITHUB_REF == refs/pull/* ]]; then
+            TAGS="${{ secrets.DOCKER_IMAGE }}:pr-${{ github.event.number }}"
+          fi
+          echo ::set-output name=tags::${TAGS}
+          echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to the container registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          registry: quay.io
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile.multiarch
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.prep.outputs.tags }}
+          build-args: |
+            APP_FOLDER=/go/src/github.com/${{ github.repository }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
+            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
diff --git a/Dockerfile.multiarch b/Dockerfile.multiarch
new file mode 100644
index 00000000..3b0eaf34
--- /dev/null
+++ b/Dockerfile.multiarch
@@ -0,0 +1,21 @@
+FROM --platform=$BUILDPLATFORM golang:1.14 as build-env
+
+# xx wraps go to automatically configure $GOOS, $GOARCH, and $GOARM
+# based on TARGETPLATFORM provided by Docker.
+COPY --from=tonistiigi/xx:golang-1.0.0 / /
+
+ARG APP_FOLDER
+
+ADD . ${APP_FOLDER}
+WORKDIR ${APP_FOLDER}
+
+# Compile independent executable using go wrapper from xx:golang
+ARG TARGETPLATFORM
+RUN CGO_ENABLED=0 go build -a -ldflags '-extldflags "-static"' -o /bin/main ./cmd/nfs-subdir-external-provisioner
+
+FROM --platform=$TARGETPLATFORM alpine:3.12
+
+RUN apk update --no-cache && apk add ca-certificates
+COPY --from=build-env /bin/main /app/main
+
+ENTRYPOINT ["/app/main"]
\ No newline at end of file
diff --git a/README.md b/README.md
index 54aa044a..c6e2f368 100644
--- a/README.md
+++ b/README.md
@@ -179,3 +179,20 @@ spec:
     requests:
       storage: 1Mi
 ```
+
+# Build and publish with GitHub Actions
+
+In a forked repository you can use GitHub Actions pipeline defined in [.github/workflows/release.yml](.github/workflows/release.yml). The pipeline builds Docker images for `linux/amd64`, `linux/arm64`, and `linux/arm/v7` platforms and publishes them using a multi-arch manifest. The pipeline is triggered when you add a tag like `gh-v{major}.{minor}.{patch}` to your commit and push it to GitHub. The tag is used for generating Docker image tags: `latest`, `{major}`, `{major}:{minor}`, `{major}:{minor}:{patch}`.
+
+The pipeline adds several labels:
+* `org.opencontainers.image.title=${{ github.event.repository.name }}`
+* `org.opencontainers.image.description=${{ github.event.repository.description }}`
+* `org.opencontainers.image.url=${{ github.event.repository.html_url }}`
+* `org.opencontainers.image.source=${{ github.event.repository.clone_url }}`
+* `org.opencontainers.image.created=${{ steps.prep.outputs.created }}`
+* `org.opencontainers.image.revision=${{ github.sha }}`
+* `org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}`
+
+**Important:**
+* The pipeline performs the docker login command using `REGISTRY_USERNAME` and `REGISTRY_TOKEN` secrets, which have to be provided.
+* You also need to provide the `DOCKER_IMAGE` secret specifying your Docker image name, e.g., `quay.io/[username]/nfs-subdir-external-provisioner`.