diff --git a/.github/workflows/run-liquibase.yaml b/.github/workflows/run-liquibase.yaml
new file mode 100644
index 0000000000..c71616d62c
--- /dev/null
+++ b/.github/workflows/run-liquibase.yaml
@@ -0,0 +1,106 @@
+name: Run Liquibase Migrations
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version tag for the container"
+        required: true
+        type: string
+      account:
+        description: "Target AWS account"
+        required: true
+        type: choice
+        options:
+          - nonprod
+          - prod
+      dry_run:
+        description: "Run in dry-run mode (show pending changes only)"
+        required: true
+        type: boolean
+        default: true
+      ref:
+        description: "Git ref to checkout (branch, tag, or commit SHA)"
+        required: false
+        type: string
+        default: "main"
+      submit_job:
+        description: "Submit AWS Batch job after building"
+        required: true
+        type: boolean
+        default: false
+  workflow_call:
+    inputs:
+      version:
+        type: string
+        required: true
+      push:
+        type: boolean
+        required: true
+        default: false
+      account:
+        type: string
+        required: true
+        enum: ["nonprod", "prod"]
+      ref:
+        type: string
+        required: false
+        default: "main"
+env:
+  REGISTRY: 054614622558.dkr.ecr.eu-west-1.amazonaws.com
+  AWS_REGION: ${{ vars.DVSA_AWS_REGION }}
+  AWS_OIDC_ROLE: ${{ (inputs.account || github.event.inputs.account) == 'prod' && vars.ACCOUNT_PROD_TF_OIDC_ROLE || vars.ACCOUNT_NONPROD_TF_OIDC_ROLE }}
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref || github.event.inputs.ref }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Configure AWS credentials
+        if: ${{ inputs.push || github.event_name == 'workflow_dispatch' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_OIDC_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Login to ECR
+        if: ${{ inputs.push || github.event_name == 'workflow_dispatch' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./infra/docker/liquibase
+          push: ${{ inputs.push || github.event_name == 'workflow_dispatch' }}
+          tags: |
+            ${{ env.REGISTRY }}/vol-app/liquibase:${{ inputs.version || github.event.inputs.version }}
+            ${{ env.REGISTRY }}/vol-app/liquibase:latest
+          cache-from: type=gha,scope=liquibase
+          cache-to: type=gha,mode=max,scope=liquibase
+          build-args: |
+            GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
+  submit-batch-job:
+    needs: build
+    if: |
+      (inputs.push || (github.event_name == 'workflow_dispatch' && github.event.inputs.submit_job == 'true'))
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_OIDC_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Submit AWS Batch job
+        run: |
+          aws batch submit-job \
+            --job-name "liquibase-migration-${{ inputs.version || github.event.inputs.version }}" \
+            --job-queue "${{ (inputs.account || github.event.inputs.account) == 'prod' && vars.ACCOUNT_PROD_BATCH_JOB_QUEUE || vars.ACCOUNT_NONPROD_BATCH_JOB_QUEUE }}" \
+            --job-definition "${{ (inputs.account || github.event.inputs.account) == 'prod' && vars.ACCOUNT_PROD_BATCH_LIQUIBASE_JOB_DEFINITION || vars.ACCOUNT_NONPROD_BATCH_LIQUIBASE_JOB_DEFINITION }}" \
+            --container-overrides "{
+              \"image\": \"${{ env.REGISTRY }}/vol-app/liquibase:${{ inputs.version || github.event.inputs.version }}\",
+              \"environment\": [
+                {\"name\": \"DRY_RUN\", \"value\": \"${{ github.event.inputs.dry_run || 'false' }}\"}
+              ]
+            }"
diff --git a/infra/docker/liquibase/Dockerfile b/infra/docker/liquibase/Dockerfile
new file mode 100644
index 0000000000..2c4cc4315a
--- /dev/null
+++ b/infra/docker/liquibase/Dockerfile
@@ -0,0 +1,13 @@
+FROM alpine/git AS repo
+ARG GITHUB_TOKEN
+WORKDIR /app
+RUN git clone https://${GITHUB_TOKEN}@github.com/dvsa/olcs-etl .
+
+FROM liquibase/liquibase
+USER root
+COPY --from=repo /app /liquibase/changelog
+COPY entrypoint.sh /liquibase/
+RUN chmod +x /liquibase/entrypoint.sh
+ENV INSTALL_MYSQL=true
+USER liquibase
+ENTRYPOINT ["/liquibase/entrypoint.sh"]
diff --git a/infra/docker/liquibase/entrypoint.sh b/infra/docker/liquibase/entrypoint.sh
new file mode 100644
index 0000000000..3c0281c019
--- /dev/null
+++ b/infra/docker/liquibase/entrypoint.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+cd /liquibase/changelog
+
+LIQUIBASE_OPTS="--driver=com.mysql.cj.jdbc.Driver \
+  --classpath=/liquibase/changelog/mysql-connector-java-8.0.21/mysql-connector-java-8.0.21.jar \
+  --url=jdbc:mysql://${DB_HOST}:${DB_PORT}/${DB_NAME} \
+  --username=${DB_USER} \
+  --password=${DB_PASSWORD} \
+  --changelog-file=changesets/OLCS.xml \
+  --log-level=info"
+
+if [[ "$1" == "--dry-run" ]]; then
+    echo "Running in dry-run mode - showing pending changes:"
+    liquibase ${LIQUIBASE_OPTS} status --verbose
+    liquibase ${LIQUIBASE_OPTS} update-sql
+else
+    echo "Running migrations..."
+    liquibase ${LIQUIBASE_OPTS} update
+fi