diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..a04a4f2ec
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,63 @@
+name: build and publish
+on:
+  push:
+    branches:
+    - master
+    - v*
+env:
+  # Hopefully fake up DRONE_BRANCH so it's picked up when
+  # dapper gets to scripts/version...
+  DRONE_BRANCH: ${{ github.ref_name }}
+jobs:
+  build:
+    name: Build and Publish
+    runs-on:
+      - self-hosted
+      - Linux
+      - kvm
+      - vagrant
+      - equinix
+      - X64
+    container:
+      image: rancher/dapper:v0.5.8
+    steps:
+    # Git is not in Dapper container image. Add it manually for dirty check.
+    - name: Add Git
+      run: apk add -U git
+
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Run dapper ci
+      run: dapper ci
+
+    # These next two items, should, I hope, be a reasonable translation of
+    # .drone.yml's publish-head step.
+    - name: GCS Auth
+      uses: 'google-github-actions/auth@v2'
+      with:
+        credentials_json: '${{ secrets.google_auth_key }}'
+
+    - name: Publish Head
+      uses: 'google-github-actions/upload-cloud-storage@v2'
+      with:
+        predefinedAcl: publicRead
+        headers: |-
+          cache-control: public,no-cache,proxy-revalidate
+        path: dist/artifacts
+        destination: releases.rancher.com/harvester/${{ github.ref_name }}
+        parent: false
+
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.docker_username }}
+        password: ${{ secrets.docker_password }}
+
+    - name: Docker Publish Cluster Repo
+      uses: docker/build-push-action@v5
+      with:
+        context: dist/harvester-cluster-repo
+        file: dist/harvester-cluster-repo/Dockerfile
+        push: true
+        tags: rancher/harvester-cluster-repo:${{ github.ref_name }}-head-amd64
\ No newline at end of file