diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
new file mode 100644
index 0000000..fff68ce
--- /dev/null
+++ b/.github/workflows/release-npm.yml
@@ -0,0 +1,42 @@
+name: Publish to npm on GitHub Release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+          cache: npm
+
+      - name: Ensure release tag matches package.json version
+        shell: bash
+        run: |
+          set -euo pipefail
+          PKG_VERSION="$(node -p "require('./package.json').version")"
+          TAG_NAME="${{ github.event.release.tag_name }}"
+          if [[ "$TAG_NAME" != "v$PKG_VERSION" && "$TAG_NAME" != "$PKG_VERSION" ]]; then
+            echo "Release tag '$TAG_NAME' does not match package.json version '$PKG_VERSION' (expected '$PKG_VERSION' or 'v$PKG_VERSION')."
+            exit 1
+          fi
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance