diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
new file mode 100644
index 0000000..900b7d7
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,80 @@
+# This workflow builds a Docker image and uploads it to Docker hub.
+#
+# If the push input id false, the image is built but not uploaded.
+#
+# Secrets must be inherited from the caller.
+#
+# Based on most recent docker guide [1], with some adaptations based on
+# existing FDP and FDP-client workflows.
+#
+# [1]: https://docs.docker.com/guides/gha/
+
+name: Docker publish
+
+on:
+  workflow_call:
+    # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callinputs
+    inputs:
+      # the caller can specify whether to push the image to docker hub
+      push:
+        description: 'Determines if the resulting Docker image is pushed to Docker Hub'
+        required: true
+        type: boolean
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - # https://github.com/actions/checkout
+        name: Clone git repo
+        uses: actions/checkout@v4
+
+      - # https://github.com/docker/metadata-action
+        name: Extract git metadata for Docker image
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # e.g. fairdata/fairdatapoint
+          images: |
+            ${{ vars.DOCKER_HUB_USERNAME }}/${{ vars.DOCKER_IMAGE_NAME }}
+          # `latest` tag is generated by default
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+
+      - # https://github.com/docker/login-action
+        name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - # https://github.com/docker/setup-qemu-action
+        # for multi-platform builds
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - # https://github.com/docker/setup-buildx-action
+        # recommended by build-push-action
+        # for multi-platform builds, provenance, sbom, and more
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - # https://github.com/docker/build-push-action
+        name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          # https://docs.docker.com/build/concepts/dockerfile/#filename
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          # alternative: push: ${{ github.event_name == 'release' && github.event.action == 'created' }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          # https://docs.docker.com/build/metadata/annotations/
+          annotations: ${{ steps.meta.outputs.annotations }}
+          provenance: true
+          sbom: true
diff --git a/.github/workflows/test-docker-publish.yml b/.github/workflows/test-docker-publish.yml
new file mode 100644
index 0000000..6d2c036
--- /dev/null
+++ b/.github/workflows/test-docker-publish.yml
@@ -0,0 +1,18 @@
+# This workflow tests the reusable docker-publish workflow
+
+name: test docker-publish
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  publish:
+    # FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@main
+    uses: ./.github/workflows/docker-publish.yml
+    secrets: inherit
+    with:
+      push: ${{ github.event_name != 'pull_request' }}
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..cd8182d
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,5 @@
+# this minimal dockerfile and the hello binary were copied from docker's hello-world example
+# https://github.com/docker-library/hello-world
+FROM scratch
+COPY hello /
+CMD ["/hello"]
diff --git a/README.md b/README.md
index 91550d8..643602d 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,9 @@ The following [FAIRDataTeam] repositories depend on the reusable workflows from
 - [spring-rdf-migration]
 - [spring-security-acl-mongodb]
 
-## Example
+## Examples
+
+### maven-publish
 
 An example of a publication workflow that is triggered when a release is created, and re-uses two workflows:
 
@@ -45,6 +47,51 @@ jobs:
       mvn_options: tidy:check com.github.spotbugs:spotbugs-maven-plugin:check
 ```
 
+### docker-publish
+For pull requests, nothing is uploaded, but a test build is created.
+
+The following variables and secrets must be defined in the calling repo (conforming to existing names from the FDP repos):
+ 
+- `vars.DOCKER_IMAGE_NAME`
+- `vars.DOCKER_HUB_USERNAME`
+- `secrets.DOCKER_HUB_PASSWORD`
+
+Secrets must be inherited from the caller.
+
+The workflow could be triggered on `push` and `pull_request` (see [1]). For example:
+
+```yaml
+name: publish to docker hub on push
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+
+jobs:
+  publish:
+    uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
+    secrets: inherit
+    with:
+      push: ${{ github.event_name != 'pull_request' }}
+```
+
+Alternatively, we could push on release creation only, for example:
+
+```yaml
+name: publish to docker hub on release
+on:
+  release:
+    types: [created]
+
+jobs:
+  publish:
+    uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
+    secrets: inherit
+    with:
+      push: ${{ github.event_name == 'release' && github.event.action == 'created' }}
+```
+
 ## Releases
 
 Releases follow [semantic versioning]. 
diff --git a/hello b/hello
new file mode 100755
index 0000000..3ffc66f
Binary files /dev/null and b/hello differ