diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..c0fa00c
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,14 @@
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: |
+          podman build -t binfmt .
+          podman save --format oci-archive binfmt > binfmt.oci
+          ./unbase_oci -i include -l binfmt.oci binfmt.oci binfmt_distroless.oci
+          image="$(podman load < binfmt_distroless.oci | awk '{ print $NF }')"
+          podman tag "$image" "ghcr.io/${{ github.repository }}"
+          podman login -u token -p "${{ github.token }}" ghcr.io
+          podman push "ghcr.io/${{ github.repository }}"
diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000..43404c5
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,3 @@
+FROM debian:testing
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends binfmt-support qemu-user-static
+CMD [ "dd", "bs=1M", "if=/usr/lib/binfmt.d/qemu-aarch64.conf", "of=/proc/sys/fs/binfmt_misc/register" ]
diff --git a/include b/include
new file mode 100644
index 0000000..8601aa6
--- /dev/null
+++ b/include
@@ -0,0 +1,4 @@
+usr/bin/dd
+usr/bin/qemu-aarch64-static
+usr/lib/binfmt.d/qemu-aarch64.conf
+usr/libexec/qemu-binfmt/aarch64-binfmt-P
diff --git a/unbase_oci b/unbase_oci
new file mode 100755
index 0000000..f7eb5b1
--- /dev/null
+++ b/unbase_oci
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+set -eufo pipefail
+
+container_image=ghcr.io/gardenlinux/unbase_oci:8c70d3ca5e9991ba50baeef84e9f2163d9223d93
+container_engine=podman
+
+container_mount_opts=()
+
+while [ $# -gt 0 ]; do
+	case "$1" in
+		--container-image)
+			container_image="$2"
+			shift 2
+			;;
+		--container-engine)
+			container_engine="$2"
+			shift 2
+			;;
+		--print-container-image)
+			printf '%s\n' "$container_image"
+			exit 0
+			;;
+		*)
+			break
+			;;
+	esac
+done
+
+args=()
+
+while [ $# -gt 0 ]; do
+	case "$1" in
+		-i|--include|-x|--exclude|--dpkg-include)
+			container_mount_opts+=(-v "$(realpath "$2"):/mnt$(realpath "$2")")
+			args+=("$1" "/mnt$(realpath "$2")")
+			shift 2
+			;;
+		--no-default-include|--no-default-exclude|-d|--dpkg-dependencies|-l|--ldd-dependencies|--print-tree)
+			args+=("$1")
+			shift
+			;;
+		*)
+			break
+			;;
+	esac
+done
+
+container_mount_opts+=(-v "$(realpath "$1"):/mnt$(realpath "$1")")
+[ "$1" = "$2" ] || container_mount_opts+=(-v "$(realpath "$2"):/mnt$(realpath "$2")")
+[ -e "$3" ] || touch "$3"
+container_mount_opts+=(-v "$(realpath "$3"):/mnt$(realpath "$3")")
+args+=("/mnt$(realpath "$1")" "/mnt$(realpath "$2")" "/mnt$(realpath "$3")")
+
+"$container_engine" run --rm --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}"