diff --git a/.forgejo/workflows/tag-release.yml b/.forgejo/workflows/tag-release.yml
index b69eee4..6dffa2a 100644
--- a/.forgejo/workflows/tag-release.yml
+++ b/.forgejo/workflows/tag-release.yml
@@ -25,6 +25,7 @@ on:
           - maven-build
           - pnpm-build
           - publish-static-contents
+          - rust-build
           - terraform-apply
           - terraform-validate
           - upload-artifact
diff --git a/README.md b/README.md
index eb8b0f0..c35a5bb 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@ Shared actions for Forgejo CI/CD pipelines.
 | [maven-build](maven-build) | Action for building and validating Maven projects |
 | [pnpm-build](pnpm-build) | Action for building and validating with PNPM |
 | [publish-static-contents](publish-static-contents) | Syncs frontend assets to S3 and invalidates a CloudFront distribution |
+| [rust-build](rust-build) | Set up Rust toolchain, run checks, and build via the project's build.sh |
 | [terraform-apply](terraform-apply) | Apply Terraform configuration files using the official Terraform CLI |
 | [terraform-validate](terraform-validate) | Validate Terraform configuration files using the official Terraform CLI |
 | [upload-artifact](upload-artifact) | Upload files as a Forgejo Actions artifact |
diff --git a/rust-build/README.md b/rust-build/README.md
new file mode 100644
index 0000000..7245382
--- /dev/null
+++ b/rust-build/README.md
@@ -0,0 +1,42 @@
+# rust-build
+
+Set up Rust toolchain, configure Cargo registry, cache dependencies, run optional checks, and build via the project's `build.sh` script.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | No | `.` | Directory containing `Cargo.toml` and `build.sh` |
+| `rust-version` | No | `1.95.0` | Rust toolchain version |
+| `cross-target` | No | `x86_64-unknown-linux-musl` | Cross-compilation target triple |
+| `build-mode` | No | `release` | Build mode — `release` or `debug` |
+| `run-checks` | No | `""` | Comma-separated checks to run before building — `fmt`, `clippy`, `test` |
+| `jfrog-token` | No | `""` | JFrog token for the Artifactory Cargo registry |
+
+## Usage
+
+### PR check (checks + debug build)
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/rust-build@rust-build-v1
+  with:
+    working-directory: backend-rs
+    build-mode: debug
+    run-checks: fmt,clippy,test
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+### Release build
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/rust-build@rust-build-v1
+  with:
+    working-directory: backend-rs
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Requires a `build.sh` in `working-directory` that accepts `--target <triple>` and optionally `--release`. The script is responsible for running `cargo build` and copying binaries to `target/deploy/`.
+- Configures the Artifactory Cargo registry only if `jfrog-token` is provided.
+- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks.
diff --git a/rust-build/action.yml b/rust-build/action.yml
new file mode 100644
index 0000000..d12b6cb
--- /dev/null
+++ b/rust-build/action.yml
@@ -0,0 +1,112 @@
+name: rust-build
+description: >
+  Set up Rust toolchain, configure Cargo registry, cache dependencies,
+  run optional checks, and build via the project's build.sh script.
+
+inputs:
+  working-directory:
+    description: Directory containing Cargo.toml and build.sh
+    required: false
+    default: "."
+  rust-version:
+    description: Rust toolchain version (passed to dtolnay/rust-toolchain)
+    required: false
+    default: "1.95.0"
+  cross-target:
+    description: Cross-compilation target triple
+    required: false
+    default: x86_64-unknown-linux-musl
+  build-mode:
+    description: Build mode — 'release' or 'debug'
+    required: false
+    default: release
+  run-checks:
+    description: Comma-separated checks to run before building — 'fmt', 'clippy', 'test'
+    required: false
+    default: ""
+  jfrog-token:
+    description: JFrog token for the Artifactory Cargo registry
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Install musl tools
+      shell: bash
+      run: |
+        if ! command -v musl-gcc &>/dev/null; then
+          sudo apt-get update -qq && sudo apt-get install -y -qq musl-tools
+        fi
+
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # dtolnay/rust-toolchain v1 (2026-03-27) — https://github.com/dtolnay/rust-toolchain/commit/3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
+    - name: Setup Rust toolchain
+      id: rust-toolchain
+      uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
+      with:
+        toolchain: ${{ inputs.rust-version }}
+        targets: ${{ inputs.cross-target }}
+        components: rustfmt,clippy
+
+    - name: Configure Cargo registry (JFrog Artifactory)
+      if: ${{ inputs.jfrog-token != '' }}
+      shell: bash
+      env:
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+      run: |
+        mkdir -p "${CARGO_HOME}"
+        cat >> "${CARGO_HOME}/config.toml" <<'EOF'
+        [registries.artifactory]
+        index = "sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/"
+        [registry]
+        global-credential-providers = ["cargo:token"]
+        EOF
+
+        cat >> "${CARGO_HOME}/credentials.toml" <<EOF
+        [registries.artifactory]
+        token = "Bearer ${JFROG_TOKEN}"
+        EOF
+
+    - name: Cache cargo registry
+      uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/cache@cache-v1
+      with:
+        path: |
+          ~/.cargo/registry/index
+          ~/.cargo/registry/cache
+          ~/.cargo/git/db
+        key: ${{ runner.os }}-cargo-${{ steps.rust-toolchain.outputs.cachekey }}-${{ inputs.cross-target }}-${{ hashFiles(format('{0}/Cargo.lock', inputs.working-directory)) }}
+        restore-keys: |
+          ${{ runner.os }}-cargo-${{ steps.rust-toolchain.outputs.cachekey }}-${{ inputs.cross-target }}-
+          ${{ runner.os }}-cargo-${{ steps.rust-toolchain.outputs.cachekey }}-
+
+    - name: Run checks
+      if: ${{ inputs.run-checks != '' }}
+      shell: bash
+      env:
+        WORKING_DIR: ${{ inputs.working-directory }}
+        CROSS_TARGET: ${{ inputs.cross-target }}
+        RUN_CHECKS: ${{ inputs.run-checks }}
+      run: |
+        IFS=',' read -ra CHECKS <<< "${RUN_CHECKS}"
+        for check in "${CHECKS[@]}"; do
+          case "${check}" in
+            fmt)    cargo fmt --manifest-path="${WORKING_DIR}/Cargo.toml" --check ;;
+            clippy) cargo clippy --manifest-path="${WORKING_DIR}/Cargo.toml" --target="${CROSS_TARGET}" -- -D warnings ;;
+            test)   cargo test --manifest-path="${WORKING_DIR}/Cargo.toml" ;;
+            *)      echo "Unknown check: ${check}"; exit 1 ;;
+          esac
+        done
+
+    - name: Build
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      env:
+        CROSS_TARGET: ${{ inputs.cross-target }}
+        BUILD_MODE: ${{ inputs.build-mode }}
+      run: |
+        BUILD_ARGS="--target ${CROSS_TARGET}"
+        if [ "${BUILD_MODE}" = "release" ]; then
+          BUILD_ARGS="${BUILD_ARGS} --release"
+        fi
+        ./build.sh ${BUILD_ARGS}