diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..1fe2ee9
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,43 @@
+name: Make distributions and test
+
+on:
+  # run workflows on main master and release/** branches
+  push:
+    branches:
+      - main
+      - master
+      - release/**
+  # run workflows on pull requests against the same branches
+  pull_request:
+    branches:
+      - main
+      - master
+      - release/**
+
+# automatically cancel redundant builds
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  makeandtest:
+    name: ${{ matrix.distro }}:${{ matrix.version }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - distro: eurolinux/centos-7
+            version: latest
+          - distro: rockylinux
+            version: 8
+          - distro: rockylinux
+            version: 9
+          - distro: opensuse/leap
+            version: 15
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Get source code
+        uses: actions/checkout@v3
+
+      - name: Run make-and-test under docker
+        run: ./ci/docker-run ${{ matrix.distro }}:${{ matrix.version }}
diff --git a/ci/docker-run b/ci/docker-run
new file mode 100755
index 0000000..97c063d
--- /dev/null
+++ b/ci/docker-run
@@ -0,0 +1,24 @@
+#!/bin/bash -e
+# Run docker as shown at
+#  https://djw8605.github.io/2016/05/03/building-centos-packages-on-travisci/
+#
+# This more complicated setup is needed for github actions too because 
+#  they do not provide a mechanism for reliably enabling user namespaces.
+# Github actions does at least start a VM with docker already running.
+
+# Assumes running on Ubuntu 24+
+
+DOCKER_HUB_URI="$1"
+docker pull "$DOCKER_HUB_URI"
+
+DOCKER_CONTAINER_NAME="test_${OS_TYPE##*/}_${OS_VERSION//./_}"
+
+set -x
+docker run --privileged --network=host -v "$(pwd):/source:rw" \
+  -e DOCKER_HUB_URI="$DOCKER_HUB_URI" \
+  --name "$DOCKER_CONTAINER_NAME" "$DOCKER_HUB_URI" /bin/bash -exc \
+	"cd /source && ./ci/privileged-run"
+
+docker ps -a
+docker stop "$DOCKER_CONTAINER_NAME"
+docker rm -v "$DOCKER_CONTAINER_NAME"
diff --git a/ci/make-and-test b/ci/make-and-test
new file mode 100755
index 0000000..86d1d3c
--- /dev/null
+++ b/ci/make-and-test
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Now running as an unprivileged user with user namespaces enabled in a
+# container and required packages installed. Make distributions and test.
+
+. /etc/os-release
+
+set -ex
+curl -s https://raw.githubusercontent.com/apptainer/apptainer/main/tools/install-unprivileged.sh | bash -s - apptainer
+PATH=$PATH:$PWD/apptainer/bin
+for DIST in default osg egi; do
+    if [ "$DIST" = egi ] && [[ "$VERSION_ID" != 7* ]]; then
+        # egi not yet supported for el8 or el9
+        continue
+    fi
+    rm -rf dist /tmp/cvmfsexec
+    : test makedist
+    ./makedist $DIST
+    : test mode 3
+    ./cvmfsexec atlas.cern.ch -- ls /cvmfs/atlas.cern.ch/repo
+    : test self-extracting distribution
+    ./makedist -o /tmp/cvmfsexec
+    /tmp/cvmfsexec atlas.cern.ch -- ls /cvmfs/atlas.cern.ch/repo
+    ./makedist -o /tmp/cvmfsexec
+    : test mode 1
+    rm -rf dist/var/lib/cvmfs/shared
+    ./mountrepo `cd dist/cvmfs; echo *config*`
+    ./mountrepo atlas.cern.ch
+    ls dist/cvmfs/atlas.cern.ch/repo
+    ./umountrepo -a
+    : test mode 4
+    rm -rf dist /tmp/cvmfsexec
+    ./makedist -s $DIST
+    ./makedist -s -o /tmp/cvmfsexec
+    SINGCVMFS_REPOSITORIES=atlas.cern.ch ./singcvmfs exec -cip docker://$DOCKER_HUB_URI ls /cvmfs/atlas.cern.ch/repo
+done
diff --git a/ci/privileged-run b/ci/privileged-run
new file mode 100755
index 0000000..04c7e98
--- /dev/null
+++ b/ci/privileged-run
@@ -0,0 +1,22 @@
+#!/bin/bash
+# Running in a privileged container.  Install required packages and
+# switch to an unprivileged user to run the tests.
+
+set -ex
+if [ -f /usr/bin/zypper ]; then
+    # suse
+    zypper install -y tar gzip openssl-1_1 fuse fuse3
+else
+    # rhel
+    yum install -y procps-ng cpio findutils fuse fuse3
+fi
+
+# because host kernel is Ubuntu 24+, this enables user namespaces
+sysctl kernel.apparmor_restrict_unprivileged_userns=0
+
+# switch to an unprivileged user
+useradd -u 1000 --create-home -s /bin/bash testuser
+# leave .git as original owner for post job cleanup
+chown testuser .
+chown -R testuser *
+su testuser -c ci/make-and-test
diff --git a/makedist b/makedist
index 199829d..177c0eb 100755
--- a/makedist
+++ b/makedist
@@ -185,6 +185,10 @@ fi
 echo "Making $SINGMSG$DISTTYPE distribution for $MACHTYPE"
 
 getcoprurl() {
+    if [ ! -f /usr/bin/yumdownloader ]; then
+        echo "yumdownloader not found, skipping trying to get $1 from copr" >&2
+        return
+    fi
     typeset TMPF=$(mktemp)
     typeset REPONAME=makedist-$1
     cat >$TMPF <<!EOF!
@@ -285,7 +289,7 @@ if $INCLUDEHELPER; then
     fi
     URLS="$URLS $BASEURL/$HELPER"
     if [ "$EL" -lt 8 ]; then
-        EPELURL="https://download.fedoraproject.org/pub/epel/$EL/$ARCH/Packages"
+        EPELURL="https://archives.fedoraproject.org/pub/archive/epel/$EL/$ARCH/Packages"
     else
         EPELURL="https://download.fedoraproject.org/pub/epel/$EL/Everything/$ARCH/Packages"
     fi