diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..be84bbd
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,61 @@
+name: Build and publish
+
+# Builds each version directory as `defactosoftware/elixir:<dir-name>` and
+# publishes to Docker Hub on merge to master. PR runs build-only (no push) so
+# Dockerfile regressions surface before merge.
+on:
+  push:
+    branches: [master]
+    paths:
+      - "*/Dockerfile"
+      - ".github/workflows/publish.yml"
+  pull_request:
+    paths:
+      - "*/Dockerfile"
+      - ".github/workflows/publish.yml"
+  workflow_dispatch:
+
+jobs:
+  detect-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.set.outputs.versions }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: set
+        run: |
+          versions=$(find . -mindepth 2 -maxdepth 2 -name Dockerfile \
+            | sed -E 's|^\./([^/]+)/Dockerfile$|\1|' \
+            | sort \
+            | jq -R -s -c 'split("\n") | map(select(length > 0))')
+          echo "versions=$versions" >> "$GITHUB_OUTPUT"
+          echo "Detected: $versions"
+
+  build:
+    needs: detect-versions
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        version: ${{ fromJson(needs.detect-versions.outputs.versions) }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./${{ matrix.version }}
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: defactosoftware/elixir:${{ matrix.version }}
+          cache-from: type=gha,scope=${{ matrix.version }}
+          cache-to: type=gha,scope=${{ matrix.version }},mode=max
diff --git a/README.md b/README.md
index cc08523..45ee856 100644
--- a/README.md
+++ b/README.md
@@ -12,21 +12,27 @@ Included:
 - Some build tools (for dependencies that require compilation steps)
 <br>
 
-*There is currently no GitHub Action to automatically build the images, so building and publishing has to be done manually through Docker Desktop or CLI for now.*
-<br>
-<br>
+### Adding a new version
+
+1. Create a new directory named after the Elixir version (e.g. `1.20.0-rc.6/`) containing a `Dockerfile`.
+2. Open a PR — the `Build and publish` workflow builds the image to verify the Dockerfile compiles.
+3. On merge to `master`, the workflow pushes the image to Docker Hub as `defactosoftware/elixir:<version>`.
+
+### Required Docker Hub secrets
 
-### To Build (Docker Desktop)
+The publish workflow needs two repository secrets configured in **Settings → Secrets and variables → Actions**:
 
-*First, install/setup Docker Desktop and login.*
+- `DOCKERHUB_USERNAME` — a Docker Hub account with push access to `defactosoftware/elixir`
+- `DOCKERHUB_TOKEN` — a Docker Hub access token (create one at https://hub.docker.com/settings/security)
+
+### Building locally
+
+If you need to build the image on your machine (e.g. to test ahead of pushing):
 
 ```
 cd VERSION
 docker build --platform=linux/amd64 -t defactosoftware/elixir:VERSION .
+docker push defactosoftware/elixir:VERSION   # optional
 ```
-<br>
-
-### To Publish (Docker Desktop)
 
-- Find the built image under **images**
-- Click the *three-dot* menu and select **Push to Docker Hub**
+Docker Desktop, Colima, OrbStack and Podman all work — anything that provides a `docker` CLI with buildx.