diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..3ea08526
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,2 @@
+target/
+.git/
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
index 80555cf8..71a12fbd 100644
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -1,4 +1,4 @@
-name: Check
+name: CI
 
 on:
   push:
@@ -220,3 +220,46 @@ jobs:
         with:
           command: test
           args: --offline
+
+  build-image:
+    name: Build and push Docker image
+    needs: [rustfmt, clippy]
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v2
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ghcr.io/matrix-org/matrix-authentication-service
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 00000000..11888c27
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,21 @@
+ARG RUSTC_VERSION=1.55.0
+
+# cargo-chef helps with caching dependencies between builds
+FROM lukemathwalker/cargo-chef:latest-rust-${RUSTC_VERSION}-alpine AS chef
+WORKDIR app
+
+FROM chef AS planner
+COPY . .
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM chef AS builder 
+COPY --from=planner /app/recipe.json recipe.json
+# Build dependencies
+RUN cargo chef cook --release --recipe-path recipe.json
+# Build the rest
+COPY . .
+RUN cargo build --release --bin mas-cli
+
+FROM gcr.io/distroless/cc
+COPY --from=builder /app/target/release/mas-cli /mas-cli
+ENTRYPOINT ["/mas-cli"]