diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..8f31392
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,130 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - main
+  pull_request_target:
+    types:
+      - closed
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  GOPRIVATE: github.com/weaveworks/cluster-controller
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+    steps:
+      - name: Configure git for private modules
+        env:
+          GITHUB_BUILD_USERNAME: ${{ secrets.BUILD_BOT_USER }}
+          GITHUB_BUILD_TOKEN: ${{ secrets.BUILD_BOT_PERSONAL_ACCESS_TOKEN }}
+        run: git config --global url."https://${GITHUB_BUILD_USERNAME}:${GITHUB_BUILD_TOKEN}@github.com".insteadOf "https://github.com"
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.20.x
+          cache: true
+
+      - name: Test
+        run: make test
+
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # for git describe
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Get version
+        id: get_version
+        run: echo "::set-output name=VERSION::$(make version)"
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Configure git for private modules
+        env:
+          GITHUB_BUILD_USERNAME: ${{ secrets.BUILD_BOT_USER }}
+          GITHUB_BUILD_TOKEN: ${{ secrets.BUILD_BOT_PERSONAL_ACCESS_TOKEN }}
+        run: git config --global url."https://${GITHUB_BUILD_USERNAME}:${GITHUB_BUILD_TOKEN}@github.com".insteadOf "https://github.com"
+
+      - name: go mod vendor
+        run: go mod vendor
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: VERSION=${{ steps.get_version.outputs.VERSION }}
+
+  build-push-helm-chart:
+    runs-on: ubuntu-latest
+    needs: [build, test]
+    # only run on tag
+    # if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      packages: write # to upload images/helm-chart
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # for git describe
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Configure git for private modules
+        env:
+          GITHUB_BUILD_USERNAME: ${{ secrets.BUILD_BOT_USER }}
+          GITHUB_BUILD_TOKEN: ${{ secrets.BUILD_BOT_PERSONAL_ACCESS_TOKEN }}
+        run: git config --global url."https://${GITHUB_BUILD_USERNAME}:${GITHUB_BUILD_TOKEN}@github.com".insteadOf "https://github.com"
+
+      - name: Install Helm
+        run: |
+          wget --no-verbose https://get.helm.sh/helm-v3.12.1-linux-amd64.tar.gz
+          tar -zxvf helm-v3.12.1-linux-amd64.tar.gz
+          mv linux-amd64/helm /usr/local/bin/helm
+          helm version
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and publish chart
+        run: |
+          make publish-helm-chart
diff --git a/Dockerfile b/Dockerfile
index c389c09..3fdaed4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,7 +9,8 @@ COPY go.mod go.mod
 COPY go.sum go.sum
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
-RUN go mod download
+# RUN go mod download
+COPY vendor vendor
 
 # Copy the go source
 COPY cmd/main.go cmd/main.go
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..fe76f45
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,2 @@
+The cluster-reflector-controller is under the same license and commercial agreement as Weave GitOps Enterprise, and can only be used in conjunction.
+
diff --git a/Makefile b/Makefile
index 751cdd7..54c6a28 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,17 @@
+VERSION ?= $(shell git describe --tags --always)
+# Strip off leading `v`: v0.12.0 -> 0.12.0
+# Seems to be idiomatic for chart versions: https://helm.sh/docs/topics/charts/#the-chart-file
+CHART_VERSION := $(shell echo $(VERSION) | sed 's/^v//')
 
 # Image URL to use all building/pushing image targets
-IMG ?= controller:latest
+IMG ?= ghcr.io/weaveworks/cluster-reflector-controller:${VERSION}
+
+CHART_REGISTRY ?= ghcr.io/weaveworks/charts
+
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.28.0
 
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -137,6 +145,7 @@ KUBECTL ?= kubectl
 KUSTOMIZE ?= $(LOCALBIN)/kustomize
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ENVTEST ?= $(LOCALBIN)/setup-envtest
+HELMIFY ?= $(LOCALBIN)/helmify
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.1.1
@@ -161,3 +170,25 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
 	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+
+.PHONY: helmify
+helmify: $(HELMIFY)
+$(HELMIFY): $(LOCALBIN)
+	GOBIN=$(LOCALBIN) go install github.com/arttor/helmify/cmd/helmify@v0.4.3
+
+.PHONY: helm
+helm: manifests kustomize helmify
+	$(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir ../weave-gitops-enterprise/charts/cluster-reflector-controller
+
+.PHONY: helm-chart
+helm-chart: manifests kustomize helmify
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	$(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir charts/cluster-reflector-controller
+	echo "fullnameOverride: cluster-reflector" >> charts/cluster-reflector-controller/values.yaml
+	cp LICENSE charts/cluster-reflector-controller/LICENSE
+	helm lint charts/cluster-reflector-controller
+	helm package charts/cluster-reflector-controller --app-version $(VERSION) --version $(CHART_VERSION) --destination /tmp/helm-repo
+
+.PHONY: publish-helm-chart
+publish-helm-chart: helm-chart
+	helm push /tmp/helm-repo/cluster-reflector-controller-${CHART_VERSION}.tgz oci://${CHART_REGISTRY}
\ No newline at end of file
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index 5c5f0b8..e40d301 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -1,2 +1,8 @@
 resources:
 - manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: ghcr.io/weaveworks/cluster-reflector-controller
+  newTag: latest