diff --git a/.github/workflows/bld_docker.yml b/.github/workflows/bld_docker.yml
new file mode 100644
index 0000000..71be42e
--- /dev/null
+++ b/.github/workflows/bld_docker.yml
@@ -0,0 +1,148 @@
+name: bld_docker
+
+permissions:
+  checks: write
+  contents: read
+  issues: read
+  pull-requests: write
+
+on:
+  workflow_call:
+    inputs:
+      docker_name:
+        description: 'Name of the docker image to build'
+        required: false
+        default: "orcid/version-bumping-test"
+        type: string
+      context:
+        description: 'Name of the context in the repo'
+        required: false
+        default: "."
+        type: string
+      build_args:
+        description: 'build_args e.g wibble=blar'
+        required: false
+        default: ""
+        type: string
+      file:
+        description: 'specify a custom dockerfile'
+        required: false
+        default: ""
+        type: string
+      version_tag:
+        description: 'Name of the tag to build'
+        required: false
+        default: 'latest'
+        type: string
+      bump:
+        description: 'whether to bump the version number by a major minor patch amount or none'
+        required: false
+        default: 'patch'
+        type: string
+      ref:
+        description: 'git reference to use with the checkout use default_branch to have that calculated'
+        required: false
+        default: "default"
+        type: string
+
+  workflow_dispatch:
+    inputs:
+      docker_name:
+        description: 'Name of the docker image to build'
+        required: false
+        default: "orcid/version-bumping-test"
+        type: string
+      context:
+        description: 'Name of the context in the repo'
+        required: false
+        default: "."
+        type: string
+      build_args:
+        description: 'build_args e.g wibble=blar'
+        required: false
+        default: ""
+        type: string
+      file:
+        description: 'specify a custom dockerfile'
+        required: false
+        default: ""
+        type: string
+      version_tag:
+        description: 'Name of the tag to build'
+        required: false
+        default: 'latest'
+        type: string
+      bump:
+        description: 'whether to bump the version number by a major minor patch amount or none'
+        required: false
+        default: 'patch'
+        type: string
+      ref:
+        description: 'git reference to use with the checkout use default_branch to have that calculated'
+        required: false
+        default: "default"
+        type: string
+
+
+jobs:
+  bld_docker:
+    strategy:
+      matrix:
+        include:
+          - artifact_name: hello-world
+            docker_name: orcid/test/hello-world
+            context: hello-world/
+            file: hello-world/Dockerfile
+
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: git-checkout-ref-action
+        id: ref
+        uses: ORCID/git-checkout-ref-action@main
+        with:
+          default_branch: ${{ github.event.repository.default_branch }}
+          ref: ${{ inputs.ref }}
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+          # checkout some history so we can scan commits for bump messages
+          # NOTE: history does not include tags!
+          fetch-depth: 100
+
+      - name: find next version
+        id: version
+        uses: ORCID/version-bump-action@main
+        with:
+          version_tag: ${{ inputs.version_tag }}
+          bump: ${{ inputs.bump }}
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Login to private registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.DOCKER_REG_PRIVATE }}
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: nasty hack to allow dynamic defaults
+        id: dynamic_defaults
+        run: |
+          FILE="${{ matrix.file }}"
+          echo "default_file=${FILE:-${{ inputs.context }}/Dockerfile}" >> "$GITHUB_OUTPUT"
+
+      - name: show the dynamic defaults
+        run: |
+          echo ${{ steps.dynamic_defaults.outputs.default_file }}
+
+      - uses: docker/build-push-action@v6
+        with:
+          push: false
+          tags: ${{ secrets.DOCKER_REG_PRIVATE }}/${{ matrix.docker_name}}:${{ steps.version.outputs.version_tag_numeric }}
+          context: ${{ matrix.context }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          file: ${{ steps.dynamic_defaults.outputs.default_file }}
+
diff --git a/hello-world/Dockerfile b/hello-world/Dockerfile
new file mode 100644
index 0000000..c7f16ed
--- /dev/null
+++ b/hello-world/Dockerfile
@@ -0,0 +1,21 @@
+FROM maven:3.6.3-jdk-11 AS maven
+
+WORKDIR /build
+
+# copy only poms for max cachability of just dependency downloads
+COPY pom.xml .
+
+# download maven dependencies
+RUN mvn -T 1C --batch-mode \
+  -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
+  --file "pom.xml" \
+  dependency:resolve
+
+COPY ./src ./src
+
+RUN mvn -T 1C --batch-mode \
+              -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
+              --file "pom.xml" \
+              package -Dmaven.test.skip
+
+