diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 00000000000..f112f2d3929
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,100 @@
+#  ~ Licensed to the Apache Software Foundation (ASF) under one
+#  ~ or more contributor license agreements.  See the NOTICE file
+#  ~ distributed with this work for additional information
+#  ~ regarding copyright ownership.  The ASF licenses this file
+#  ~ to you under the Apache License, Version 2.0 (the
+#  ~ "License"); you may not use this file except in compliance
+#  ~ with the License.  You may obtain a copy of the License at
+#  ~
+#  ~   http://www.apache.org/licenses/LICENSE-2.0
+#  ~
+#  ~ Unless required by applicable law or agreed to in writing,
+#  ~ software distributed under the License is distributed on an
+#  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  ~ KIND, either express or implied.  See the License for the
+#  ~ specific language governing permissions and limitations
+#  ~ under the License.
+
+name: Build
+on:
+  push:
+    branches:
+      - trunk
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  build:
+    name: Maven Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git clone
+        uses: actions/checkout@v4
+      - name: Set up JDK 11
+        uses: actions/setup-java@v4
+        with:
+          java-version: 11
+          distribution: temurin
+          cache: maven
+          server-id: apache.snapshots.https # Value of the distributionManagement/repository/id field of the pom.xml
+          server-username: MAVEN_APACHE_NEXUS_USERNAME # env variable for username in deploy
+          server-password: MAVEN_APACHE_NEXUS_PASSWORD # env variable for token in deploy
+      # sets environment variables to be used in subsequent steps: https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
+      - name: Set environment variables
+        shell: bash
+        run: |
+          if [ "${{github.ref}}" = "refs/heads/trunk" ] && [ "${{github.event_name}}" = "push" ] && [ "${{github.repository_owner}}" = "apache" ]; then
+            echo 'Running on main branch of the canonical repo'
+            echo "MVN_ADDITIONAL_OPTS=-DdeployAtEnd=true" >> $GITHUB_ENV
+            echo "MVN_GOAL=deploy" >> $GITHUB_ENV
+            echo "MAVEN_APACHE_NEXUS_USERNAME=${{ secrets.NEXUS_USER }}" >> $GITHUB_ENV
+            echo "MAVEN_APACHE_NEXUS_PASSWORD=${{ secrets.NEXUS_PW }}" >> $GITHUB_ENV
+          else
+            echo 'Running outside main branch/canonical repo'
+            echo "MVN_ADDITIONAL_OPTS=" >> $GITHUB_ENV
+            echo "MVN_GOAL=install" >> $GITHUB_ENV
+          fi
+      - name: Build
+        # executing ITs requires installing artifacts to the local repository
+        run: mvn -B ${{ env.MVN_GOAL }} ${{ env.MVN_ADDITIONAL_OPTS }} -Pcoverage,integrationTesting,javadoc -Dorg.ops4j.pax.url.mvn.repositories="https://repo1.maven.org/maven2@id=central"
+      - name: Upload build result
+        uses: actions/upload-artifact@v4
+        with:
+          name: compiled-classes-and-coverage
+          # compare with https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/java/#java-analysis-and-bytecode
+          path: |
+            **/target/**/*.class
+            **/target/site/jacoco*/*.xml
+
+  # execute analysis in a separate job for better visualization and usage of matrix builds
+  # https://docs.sonarsource.com/sonarcloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/#invoking-the-goal
+  sonar:
+    name: SonarQube Analysis
+    runs-on: ubuntu-latest
+    needs: build
+    # not supported on forks, https://portal.productboard.com/sonarsource/1-sonarqube-cloud/c/50-sonarcloud-analyzes-external-pull-request
+    if: ${{ github.repository == 'apache/jackrabbit'  }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: temurin
+          cache: maven
+      - name: Download compiled classes
+        uses: actions/download-artifact@v4
+        with:
+          name: compiled-classes-and-coverage
+      - name: Cache SonarQube packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Analyze with SonarQube
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
+        run: SONAR_SCANNER_JAVA_OPTS="-Xmx8g" mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:5.1.0.4751:sonar -Dsonar.projectKey=apache_jackrabbit -Dsonar.organization=apache -Dsonar.scanner.skipJreProvisioning=true
\ No newline at end of file