diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
new file mode 100644
index 0000000..07d12bf
--- /dev/null
+++ b/.github/workflows/docker.yaml
@@ -0,0 +1,84 @@
+name: Docker
+
+on:
+  push:
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    name: Build and push Docker image
+    runs-on: ubuntu-latest
+    env:
+      IMAGE: ghcr.io/${{ github.repository }}
+
+    permissions:
+      packages: write
+      contents: read
+
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v2
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: "${{ env.IMAGE }}"
+          bake-target: docker-metadata-action
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - name: Docker meta (debug variant)
+        id: meta-debug
+        uses: docker/metadata-action@v3
+        with:
+          images: "${{ env.IMAGE }}"
+          bake-target: docker-metadata-action-debug
+          tags: |
+            type=ref,event=branch,suffix=-debug
+            type=semver,pattern={{version}},suffix=-debug
+            type=semver,pattern={{major}}.{{minor}},suffix=-debug
+            type=semver,pattern={{major}},suffix=-debug
+            type=sha,suffix=-debug
+
+      - name: Merge buildx bake files
+        run: |
+            jq -s '.[0] * .[1]' ${{ steps.meta.outputs.bake-file }} ${{ steps.meta-debug.outputs.bake-file }} > docker-bake.override.json
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          config-inline: |
+            [registry."docker.io"]
+              mirrors = ["mirror.gcr.io"]
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # For pull-requests, only read from the cache, do not try to push to the
+      # cache or the image itself
+      - name: Build
+        uses: docker/bake-action@v1
+        if: github.event_name == 'pull_request'
+        with:
+          set: |
+            base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
+
+      - name: Build and push
+        uses: docker/bake-action@v1
+        if: github.event_name != 'pull_request'
+        with:
+          set: |
+            base.output=type=image,push=true
+            base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
+            base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
diff --git a/Dockerfile b/Dockerfile
index 093e8c5..4811623 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,27 @@
-FROM golang:alpine as builder
-RUN apk add --update --no-cache git ca-certificates
+ARG GO_VERSION=1.17
+ARG DEBIAN_VERSION=11
+ARG DEBIAN_VERSION_NAME=bullseye
+
+## Build stage ##
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:${GO_VERSION}-${DEBIAN_VERSION_NAME} AS builder
 
-RUN mkdir /build 
 WORKDIR /build
-COPY go.mod .
-COPY go.sum .
+COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags '-extldflags "-static"' -o rageshake
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o rageshake
 
-FROM scratch
+## Runtime stage, debug variant ##
+FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:debug-nonroot AS debug
 COPY --from=builder /build/rageshake /rageshake
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 WORKDIR /
 EXPOSE 9110
-CMD ["/rageshake"]
+ENTRYPOINT ["/rageshake"]
+
+## Runtime stage ##
+FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot
+COPY --from=builder /build/rageshake /rageshake
+WORKDIR /
+EXPOSE 9110
+ENTRYPOINT ["/rageshake"]
diff --git a/changelog.d/47.misc b/changelog.d/47.misc
new file mode 100644
index 0000000..7000960
--- /dev/null
+++ b/changelog.d/47.misc
@@ -0,0 +1 @@
+Build and push a multi-arch Docker image on the GitHub Container Registry.
diff --git a/docker-bake.hcl b/docker-bake.hcl
new file mode 100644
index 0000000..97acacd
--- /dev/null
+++ b/docker-bake.hcl
@@ -0,0 +1,25 @@
+// This is what is baked by GitHub Actions
+group "default" { targets = ["regular", "debug"] }
+
+// Targets filled by GitHub Actions: one for the regular tag, one for the debug tag
+target "docker-metadata-action" {}
+target "docker-metadata-action-debug" {}
+
+// This sets the platforms and is further extended by GitHub Actions to set the
+// output and the cache locations
+target "base" {
+  platforms = [
+    "linux/amd64",
+    "linux/arm64",
+    "linux/arm",
+  ]
+}
+
+target "regular" {
+  inherits = ["base", "docker-metadata-action"]
+}
+
+target "debug" {
+  inherits = ["base", "docker-metadata-action-debug"]
+  target = "debug"
+}