diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
new file mode 100644
index 0000000..8fae174
--- /dev/null
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,53 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# GitHub recommends pinning actions to a commit SHA.
+# To get a newer version, you will need to update the SHA.
+# You can also reference a tag or branch, but the action may change without warning.
+
+name: Create and publish a Docker image
+
+on:
+  push:
+    branches:
+    - master
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..a95538a
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,39 @@
+FROM node:20-slim
+
+ARG CRITICAL_VERSION=5.0.4
+
+ARG PACKAGES="\
+  libx11-6\
+  libx11-xcb1\
+  libxcomposite1\
+  libxcursor1\
+  libxdamage1\
+  libxext6\
+  libxi6\
+  libxtst6\
+  libglib2.0-0\
+  libnss3\
+  libcups2\
+  libxss1\
+  libexpat1\
+  libxrandr2\
+  libasound2\
+  libatk1.0-0\
+  libatk-bridge2.0-0\
+  libpangocairo-1.0-0\
+  libgtk-3-0\
+  "
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+# hadolint ignore=DL3008
+RUN --mount=type=cache,id=build-apt-cache,sharing=locked,target=/var/cache/apt \
+    --mount=type=cache,id=build-apt-lib,sharing=locked,target=/var/lib/apt \
+    apt-get update -qq \
+    && apt-get install --no-install-recommends -y ${PACKAGES} \
+    && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+RUN --mount=type=cache,id=build-npm-cache,sharing=locked,target=/root/.npm \
+  npm install -g critical@${CRITICAL_VERSION}
+
+WORKDIR /site
+
+CMD ["critical", "--help"]