diff --git a/.github/workflows/ioc-images.yml b/.github/workflows/ioc-images.yml
new file mode 100644
index 0000000..cdc4c22
--- /dev/null
+++ b/.github/workflows/ioc-images.yml
@@ -0,0 +1,35 @@
+name: Build image
+on:
+  workflow_call:
+
+jobs:
+  build_and_push:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    env:
+      REGISTRY: ghcr.io/${{ github.repository_owner }}
+      SOURCE: https://github.com/${{ github.repository }}
+      TAG: ${{ github.ref_name }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - uses: docker/setup-buildx-action@v3
+      - name: Log in to registry
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push tagged image
+        uses: docker/bake-action@v4
+        with:
+          workdir: ./
+          files: docker-compose.yml
+          set: |
+            *.cache-from=type=gha
+            *.cache-to=type=gha,mode=max
+          push: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
diff --git a/CHANGES.md b/CHANGES.md
index 02ecaf6..7d68062 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -6,6 +6,8 @@
 
 * base: add PVXS module. by @ericonr in
   https://github.com/cnpem/epics-in-docker/pull/42
+* ci: add reusable job for IOC images. by @ericonr in
+  https://github.com/cnpem/epics-in-docker/pull/49
 
 ### Bug fixes
 
diff --git a/README.md b/README.md
index 9121d19..e37ac43 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,11 @@ Packages essential to all (or most) IOCs should be added to [this repository's
 The template above assumes the containers will be uploaded to the GitHub
 registry.
 
+`:${TAG}` adds versioning to images using [our CI workflows](#ci-workflows),
+and when building images locally and exporting the `TAG` environment variable.
+If there is no interest in using versioned images and the resulting container
+image should be tagged as `latest`, `:${TAG}` can simply be omitted.
+
 ### areaDetector IOCs
 
 `areaDetector` IOCs must be built with target `dynamic-link`. In addition, they
@@ -80,6 +85,34 @@ module depends on it.
 Known build and runtime issues are documented in the [SwC
 wiki](http://swc.lnls.br/).
 
+## CI Workflows
+
+Users of this repository for building IOC images can also take advantage of
+pre-defined continuous integration workflows in order to verify that images are
+built correctly after changes, and for uploading container images to the
+desired registry on Git tag creation.
+
+### GitHub Actions
+
+A YAML file must be added to the repository's `.github/workflows/` directory
+(e.g. `.github/workflows/build.yml`), with the following contents:
+
+```
+name: Build image
+on:
+  push:
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  build_and_push:
+    permissions:
+      packages: write
+      contents: read
+    uses: cnpem/epics-in-docker/.github/workflows/ioc-images.yml
+```
+
 ## Containers
 
 ### Accessing `iocsh` inside containers