diff --git a/.github/workflows/build-dbt-runner.yml b/.github/workflows/build-dbt-runner.yml
index 5e7ffe6..354fc6c 100644
--- a/.github/workflows/build-dbt-runner.yml
+++ b/.github/workflows/build-dbt-runner.yml
@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   push:
     paths:
+      - '.github/**'
       - 'dbt/**'
       - 'dbt-container/**'
 
@@ -14,7 +15,28 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Build container
-        run: dbt-container/build.sh
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_OVARA_UTILITY_ROLE_ARN }}
+          role-session-name: ovara-dbt-runner-ecr-push
+          aws-region: eu-west-1
 
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
 
+      - name: Login to docker with ECR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ steps.ecr-login.outputs.registry }}
+
+      - name: Build, tag, and push docker image to Amazon ECR
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: ovara-dbt-runner
+          IMAGE_TAG: ga-${{ github.run_number }}
+        run: |
+            cd dbt-container
+            docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
+            docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
diff --git a/utility/cdk/lib/ecr-stack.ts b/utility/cdk/lib/ecr-stack.ts
index 16faafe..fd40d35 100644
--- a/utility/cdk/lib/ecr-stack.ts
+++ b/utility/cdk/lib/ecr-stack.ts
@@ -1,5 +1,7 @@
 import * as cdk from 'aws-cdk-lib';
 import * as ecr from 'aws-cdk-lib/aws-ecr';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as cdkNag from 'cdk-nag';
 import { Construct } from 'constructs';
 
 export class EcrStack extends cdk.Stack {
@@ -11,5 +13,31 @@ export class EcrStack extends cdk.Stack {
       repositoryName: dbtRunnerRepositoryName,
       imageScanOnPush: true,
     });
+
+    const githubOidcProvider = new iam.OpenIdConnectProvider(this, `OvaraUtilityGithubOidcProvider`, {
+      url: 'https://token.actions.githubusercontent.com',
+      thumbprints: ['6938fd4d98bab03faadb97b34396831e3780aea1'],
+      clientIds: ['sts.amazonaws.com'],
+    });
+
+    const githubActionsDeploymentRole = new iam.Role(this, `OvaraUtilityGithubActionsUser`, {
+      assumedBy: new iam.WebIdentityPrincipal(
+        githubOidcProvider.openIdConnectProviderArn,
+        {
+          StringLike: {
+            'token.actions.githubusercontent.com:sub': 'repo:opetushallitus/ovara',
+            'token.actions.githubusercontent.com:aud': 'sts.amazonaws.com',
+          },
+        },
+      ),
+      roleName: 'ovara-utility-github-actions-deployment-role',
+    });
+
+    dbtRunnerRepository.grantPush(githubActionsDeploymentRole);
+
+    cdkNag.NagSuppressions.addStackSuppressions(this, [
+      { id: 'AwsSolutions-IAM5', reason: 'In this case it is ok.' },
+    ]);
+
   }
 }