diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
index 191dd65a..e8681ca7 100644
--- a/.github/workflows/dotnet.yml
+++ b/.github/workflows/dotnet.yml
@@ -1,5 +1,5 @@
-# This workflow will build a .NET project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
+# Builds the project, runs tests and creates NuGet packages.
+# Triggers on pushes to main and version tags, and pull requests targeting main.
 
 name: .NET
 
@@ -7,6 +7,9 @@ on:
   push:
     branches:
       - main
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+'
+      - '[0-9]+.[0-9]+.[0-9]+-*'
   pull_request:
     branches:
       - main
diff --git a/.github/workflows/nuget-publish.yml b/.github/workflows/nuget-publish.yml
new file mode 100644
index 00000000..ddc49df8
--- /dev/null
+++ b/.github/workflows/nuget-publish.yml
@@ -0,0 +1,65 @@
+# Publishes NuGet packages to NuGet.org using trusted publishing.
+# Triggers when a version tag push causes the .NET CI workflow to complete successfully.
+# Requires reviewer approval for the nuget-publish environment
+
+name: Publish NuGet Packages
+
+on:
+  workflow_run:
+    workflows: [".NET"]
+    types: [completed]
+
+jobs:
+  check-tag:
+    name: Check version tag
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+    outputs:
+      is-version-tag: ${{ steps.check.outputs.is-version-tag }}
+    steps:
+      - name: Check if triggered by a version tag
+        id: check
+        run: |
+          if [[ "${{ github.event.workflow_run.head_branch }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
+            echo "is-version-tag=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is-version-tag=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  publish:
+    name: Publish to NuGet.org
+    runs-on: ubuntu-latest
+    needs: check-tag
+    if: needs.check-tag.outputs.is-version-tag == 'true'
+
+    environment: nuget-publish
+
+    permissions:
+      id-token: write 
+      contents: read
+
+    steps:
+      - name: Download NuGet packages artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: nuget-packages
+          path: nuget/
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+
+      - name: NuGet login
+        uses: NuGet/login@v1
+        id: login
+        with:
+            user: ${{ secrets.NUGET_USER }}
+
+      - name: NuGet push
+        run: dotnet nuget push "nuget/*.nupkg" \
+            --api-key ${{steps.login.outputs.NUGET_API_KEY}} \
+            --source https://api.nuget.org/v3/index.json \
+            --skip-duplicate