diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..e84dc2a
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,4 @@
+.git/
+target/
+docker-build/
+/*.yaml
diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
new file mode 100644
index 0000000..9656226
--- /dev/null
+++ b/.github/workflows/audit.yaml
@@ -0,0 +1,17 @@
+name: Security audit
+on:
+  schedule:
+    - cron: "17 5 * * 5"
+  push:
+    branches:
+      - main
+    paths:
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+
+jobs:
+  security-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v1
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..7ccd6d7
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,46 @@
+name: Continuous integration
+on: pull_request
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        rust:
+          - stable
+          - beta
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        name: Setup toolchain
+        with:
+          toolchain: ${{ matrix.rust }}
+          components: rustfmt, clippy
+
+      - name: Build
+        run: cargo build
+
+      - name: Test
+        env:
+          CI: true
+        run: cargo test
+
+      - name: Fmt
+        run: cargo fmt --all -- --check
+
+      - name: Clippy
+        run: cargo clippy -- -D warnings
+
+  docker-test:
+    runs-on: ubuntu-latest
+    needs: ci
+    strategy:
+      matrix:
+        binary:
+          - git-events-runner
+          - gitrepo-cloner
+    steps:
+      - uses: actions/checkout@v4
+      - name: Test image build
+        run: docker build -f docker-build/${{matrix.binary}}.dockerfile .
diff --git a/.github/workflows/publish-image.yaml b/.github/workflows/publish-image.yaml
new file mode 100644
index 0000000..251b8be
--- /dev/null
+++ b/.github/workflows/publish-image.yaml
@@ -0,0 +1,56 @@
+name: Build/push image
+on:
+  push:
+    tags: [ 'v*.*.*' ]
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    strategy:
+      matrix:
+        binary:
+          - git-events-runner
+          - gitrepo-cloner
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@v3
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.binary }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Cargo.lock b/Cargo.lock
index bb176fd..703308b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1409,6 +1409,7 @@ checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1"
 [[package]]
 name = "sacs"
 version = "0.2.1"
+source = "git+https://github.com/alex-karpenko/sacs.git#b2495ad8ed85f01ddd12204d28e9cb309529378d"
 dependencies = [
  "chrono",
  "cron",
diff --git a/Cargo.toml b/Cargo.toml
index 16f234e..5fe9055 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -31,13 +31,13 @@ path = "src/lib.rs"
 
 [dependencies]
 anyhow = "1"
-clap = { version = "4.5.3", features = ["derive"] }
+clap = {version = "4.5.3", features = ["derive"]}
 futures = "0.3.30"
 git2 = "0.18.2"
 humantime = "2.1.0"
 k8s-openapi = {version = "0.21.1", features = ["latest"]}
 regex = "1"
-sacs = {path = "../sacs", version = "0.2.1", features = ["async-trait"]}
+sacs = {git = "https://github.com/alex-karpenko/sacs.git", version = "0.2.1", features = ["async-trait"]}
 schemars = "0.8.16"
 serde = {version = "1", features = ["derive"]}
 serde_json = "1"
diff --git a/docker-build/git-events-runner.dockerfile b/docker-build/git-events-runner.dockerfile
new file mode 100644
index 0000000..c83728e
--- /dev/null
+++ b/docker-build/git-events-runner.dockerfile
@@ -0,0 +1,13 @@
+# Build stage
+FROM rust:1.76 as build
+
+WORKDIR /app
+COPY . /app
+RUN cargo build --release --bin git-events-runner
+
+# Runtime stage
+FROM gcr.io/distroless/cc-debian12
+COPY --from=build /app/target/release/git-events-runner /
+
+ENTRYPOINT ["/git-events-runner"]
+CMD ["--help"]
diff --git a/docker-build/gitrepo-cloner.dockerfile b/docker-build/gitrepo-cloner.dockerfile
new file mode 100644
index 0000000..8539347
--- /dev/null
+++ b/docker-build/gitrepo-cloner.dockerfile
@@ -0,0 +1,13 @@
+# Build stage
+FROM rust:1.76 as build
+
+WORKDIR /app
+COPY . /app
+RUN cargo build --release --bin gitrepo-cloner
+
+# Runtime stage
+FROM gcr.io/distroless/cc-debian12
+COPY --from=build /app/target/release/gitrepo-cloner /
+
+ENTRYPOINT ["/gitrepo-cloner"]
+CMD ["--help"]