diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..f1a1695
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,44 @@
+name: Publish container image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  workflow_dispatch: # for manual trigger
+
+jobs:
+  build-and-publish:
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Get the code
+      uses: actions/checkout@v6
+
+    - name: Get .NET
+      uses: actions/setup-dotnet@v5
+      with:
+        dotnet-version: '10.0.x'
+
+    - name: Build x64 container image (without publishing)
+      if: github.ref_type != 'tag'
+      working-directory: src/OAuch
+      run: |
+        dotnet publish --arch x64
+
+    - name: Build and publish x64 and arm64 images
+      if: github.ref_type == 'tag'
+      working-directory: src/OAuch
+      env:
+          DOTNET_CONTAINER_REGISTRY_UNAME: ${{ github.actor }}
+          DOTNET_CONTAINER_REGISTRY_PWORD: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        dotnet publish -t:PublishContainer \
+          -p:RuntimeIdentifiers='"linux-x64;linux-arm64"' \
+          -p:ContainerRegistry=ghcr.io \
+          -p:ContainerRepository=${{ github.repository }} \
+          -p:ContainerImageTags='"latest;${{ github.ref_name }}"'
diff --git a/src/OAuch/OAuch/OAuch.csproj b/src/OAuch/OAuch/OAuch.csproj
index 2e0308a..ad3d3d1 100644
--- a/src/OAuch/OAuch/OAuch.csproj
+++ b/src/OAuch/OAuch/OAuch.csproj
@@ -27,6 +27,9 @@
     <None Remove="oauch.db-wal" />
     <None Remove="oauch.db-wal.org" />
     <None Remove="oauch.db.org" />
+    <ContainerEnvironmentVariable
+      Include="ASPNETCORE_ENVIRONMENT"
+      Value="Container" />
   </ItemGroup>
 	
   <ItemGroup>
diff --git a/src/OAuch/OAuch/appsettings.Container.json b/src/OAuch/OAuch/appsettings.Container.json
new file mode 100644
index 0000000..a9f4baa
--- /dev/null
+++ b/src/OAuch/OAuch/appsettings.Container.json
@@ -0,0 +1,15 @@
+{
+  "Kestrel": {
+    "Endpoints": {
+      "Https": {
+        // rootless container cannot bind to ports < 1024
+        // https://devblogs.microsoft.com/dotnet/securing-containers-with-rootless/#switching-to-port-8080
+        "Url": "http://*:8080",
+        "Protocols": "Http1"
+      }
+    }
+  },
+  "ConnectionStrings": {
+    "OAuchDbContextConnection": "Data Source=/home/app/oauch.db;"
+  }
+}
diff --git a/src/OAuch/OAuch/appsettings.Docker.json b/src/OAuch/OAuch/appsettings.Docker.json
deleted file mode 100644
index 69131fd..0000000
--- a/src/OAuch/OAuch/appsettings.Docker.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "ConnectionStrings": {
-    "OAuchDbContextConnection": "Data Source=/db/oauch.db;"
-  }
-}
\ No newline at end of file