diff --git a/.github/workflows/build_docker.yaml b/.github/workflows/build_docker.yaml
new file mode 100644
index 0000000000000..40ca5902cf776
--- /dev/null
+++ b/.github/workflows/build_docker.yaml
@@ -0,0 +1,83 @@
+name: Build and push Docker image
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+  pull_request:
+
+jobs:
+  # Build and push ALL events. We'll make sure to give the images
+  # sensible tags, so there's no confusion around what's 'dev' builds
+  # through PRs, and what's proper 'master' builds.
+  #
+  # Official GitHub docs on this: https://docs.github.com/en/actions/use-cases-and-examples/publishing-packages/publishing-docker-images
+  build-push-docker:
+    runs-on: ubuntu-latest
+    # needed to push to GHCR
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Docker meta
+        id: meta
+        # https://github.com/docker/metadata-action
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository_owner }}/bitcoin-patched
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            # creates a tag for each push
+            type=sha,event=push
+
+            # creates a tag for each pr
+            type=ref,event=pr
+
+            # set latest tag for default branch
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build (and maybe push) Docker image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          # Caching Docker builds on CI is an eternally
+          # difficult task. From the official docs:
+          # "In most cases you want to use the inline cache exporter"
+          #
+          # https://docs.docker.com/build/ci/github-actions/cache/#inline-cache
+          # prettier-ignore
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/bitcoin-patched:latest
+          cache-to: type=inline
+
+      - name: Find existing comment about built images
+        id: fc
+        uses: peter-evans/find-comment@v3
+        if: github.event_name == 'pull_request'
+        with:
+          body-includes: "Built Docker"
+          issue-number: ${{ github.event.pull_request.number }}
+
+      - name: Comment on pull request about built images
+        if: github.event_name == 'pull_request'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          edit-mode: replace
+          body: |
+            Built Docker image(s): ${{ steps.meta.outputs.tags }}