diff --git a/.github/workflows/build-operator.yml b/.github/workflows/build-operator.yml
new file mode 100644
index 0000000..e81ab19
--- /dev/null
+++ b/.github/workflows/build-operator.yml
@@ -0,0 +1,75 @@
+---
+name: Build operator
+
+on:
+  workflow_call:
+
+# https://docs.github.com/en/actions/using-jobs/using-concurrency
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  # cancel jobs in progress for updated PRs, but not merge or tag events
+  cancel-in-progress: ${{ github.event.action == 'synchronize' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
+        include:
+          - platform: linux/amd64
+            slug: linux-amd64
+            goarch: amd64
+            filearch: x86-64
+          - platform: linux/arm64
+            slug: linux-arm64
+            goarch: arm64
+            filearch: aarch64
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        submodules: recursive
+
+    - uses: docker/setup-qemu-action@v3
+    - uses: docker/setup-buildx-action@v3
+
+    - uses: actions/setup-go@v4
+      with:
+        cache-dependency-path: |
+          src/go.sum
+        go-version-file: src/go.mod
+
+    - id: build
+      run: |
+        set -x
+
+        wget -qO /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${OPERATOR_SDK_VERSION}/operator-sdk-${OPERATOR_SDK_VERSION}-$(uname -m)-linux-gnu
+        chmod +x /usr/local/bin/operator-sdk
+
+        release_sha=$(cd src; git rev-parse HEAD)
+        SECRET_OPERATOR_VERSION=${release_sha::7}
+
+        ln -s src ${DOCKER_IMAGE}
+        pushd ${DOCKER_IMAGE}
+        make build
+        [[ $(file -b build/_output/bin/kubernetes-secret-generator) =~ ${{ matrix.filearch }} ]]
+        echo "release_sha=${release_sha}" >> $GITHUB_OUTPUT
+
+      env:
+        OPERATOR_SDK_VERSION: v0.19.1
+        DOCKER_IMAGE: kubernetes-secret-generator # throw away image(s)
+        DOCKER_DEFAULT_PLATFORM: ${{ matrix.platform }} # throw away image(s)
+        GOARCH: ${{ matrix.goarch }}
+
+    - run: |
+        cat <src/build/_output/bin/kubernetes-secret-generator \
+          | zstd > ${{ runner.temp }}/kubernetes-secret-generator.zst
+
+    - uses: actions/upload-artifact@v3
+      with:
+        name: kubernetes-secret-generator-${{ steps.build.outputs.release_sha }}-${{ matrix.slug }}
+        path: ${{ runner.temp }}/kubernetes-secret-generator.zst
+        if-no-files-found: error
+        retention-days: 1
\ No newline at end of file
diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
new file mode 100644
index 0000000..853c481
--- /dev/null
+++ b/.github/workflows/flowzone.yml
@@ -0,0 +1,56 @@
+---
+name: Flowzone
+
+on:
+  pull_request:
+    types: [opened, synchronize, closed]
+    branches: [main, master]
+  pull_request_target:
+    types: [opened, synchronize, closed]
+    branches: [main, master]
+
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  deployments: read
+  issues: read
+  discussions: read
+  packages: write
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  security-events: read
+  statuses: read
+
+jobs:
+  flowzone:
+    name: Flowzone
+    uses: product-os/flowzone/.github/workflows/flowzone.yml@master
+    # prevent duplicate workflow executions for pull_request and pull_request_target
+    if: |
+      (
+        github.event.pull_request.head.repo.full_name == github.repository &&
+        github.event_name == 'pull_request'
+      ) || (
+        github.event.pull_request.head.repo.full_name != github.repository &&
+        github.event_name == 'pull_request_target'
+      )
+    secrets:
+      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+      GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
+    with:
+      jobs_timeout_minutes: 60
+      repo_config: true
+      repo_description: |
+        "Build scaffold for kubernetes-secret-generator (multi-arch)"
+      repo_homepage: "https://github.com/mittwald/kubernetes-secret-generator"
+      # FIXME: remove when https://github.com/mittwald/kubernetes-secret-generator/issues/80 is resolved
+      docker_images: |
+        ghcr.io/belodetek/kubernetes-secret-generator
+      docker_runs_on: >
+        {
+          "linux/amd64": ["ubuntu-22.04"],
+          "linux/arm64": ["ubuntu-22.04"]
+        }
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
new file mode 100644
index 0000000..8cfe345
--- /dev/null
+++ b/.github/workflows/workflow.yml
@@ -0,0 +1,11 @@
+---
+name: Build
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches: [main, master]
+
+jobs:
+  build:
+    uses: ./.github/workflows/build-operator.yml
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..3bbd60e
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "src"]
+	path = src
+	url = https://github.com/mittwald/kubernetes-secret-generator.git
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..50c49da
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,35 @@
+FROM debian AS artefact
+
+ARG TARGETPLATFORM
+
+COPY . .
+
+RUN apt update && apt install -y git gnupg2 zstd file \
+    && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 23F3D4EA75716059 \
+	&& echo "deb [arch=$(dpkg --print-architecture)] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list \
+	&& apt update && apt install gh -y
+
+RUN --mount=type=secret,id=GITHUB_TOKEN set -ax; \
+    gh auth login --with-token </run/secrets/GITHUB_TOKEN && gh auth status \
+    && release_sha=$(cd src; git rev-parse HEAD) \
+    && asset=kubernetes-secret-generator-${release_sha}-$(echo ${TARGETPLATFORM} | sed 's#/#-#g') \
+    && while ! gh run download --name ${asset}; do sleep $(((RAND%5)+1)); done \
+	&& zstdcat kubernetes-secret-generator.zst > kubernetes-secret-generator \
+	&& chmod +x kubernetes-secret-generator \
+	&& file kubernetes-secret-generator
+
+
+# --- runtime
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8
+
+ENV OPERATOR=/usr/local/bin/kubernetes-secret-generator \
+    USER_UID=1001 \
+    USER_NAME=kubernetes-secret-generator
+
+COPY --from=artefact kubernetes-secret-generator ${OPERATOR}
+COPY src/build/bin /usr/local/bin
+RUN /usr/local/bin/user_setup
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+
+USER ${USER_UID}
diff --git a/README.md b/README.md
index 90ef4ec..ecf2fca 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,5 @@
 # kubernetes-secret-generator
+> [kubernetes-secret-generator] build scaffold to provide multi-arch images
+
+
+[kubernetes-secret-generator]: https://github.com/mittwald/kubernetes-secret-generator
\ No newline at end of file
diff --git a/docker-bake.hcl b/docker-bake.hcl
new file mode 100644
index 0000000..2bcedae
--- /dev/null
+++ b/docker-bake.hcl
@@ -0,0 +1,6 @@
+target "default" {
+  platforms = [
+    "linux/amd64",
+    "linux/arm64"
+  ]
+}
diff --git a/foo.zst b/foo.zst
new file mode 100644
index 0000000..5cf0456
Binary files /dev/null and b/foo.zst differ
diff --git a/repo.yml b/repo.yml
new file mode 100644
index 0000000..545c520
--- /dev/null
+++ b/repo.yml
@@ -0,0 +1,2 @@
+---
+type: "docker"
diff --git a/src b/src
new file mode 160000
index 0000000..23b2d7d
--- /dev/null
+++ b/src
@@ -0,0 +1 @@
+Subproject commit 23b2d7dd5986eb8406cbaa8ae7aa76e238a8ab9c