diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 000000000..92e8444fe
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,58 @@
+name: Publish Package
+
+on:
+  push:
+    tags:
+      - 'v*'
+  pull_request:
+
+permissions:
+  id-token: write  # Required for OIDC
+  contents: write  # Required to push lockfile if missing
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
+      
+      - name: Install dependencies
+        run: |
+          if [ -f yarn.lock ]; then
+            echo "Yarn lockfile present — using yarn"
+            npm install -g yarn
+            yarn install --frozen-lockfile
+          elif [ -f pnpm-lock.yaml ]; then
+            echo "pnpm lockfile present — using pnpm"
+            npm install -g pnpm
+            pnpm install --frozen-lockfile
+          elif [ -f package-lock.json ]; then
+            echo "npm lockfile present — running npm ci"
+            npm ci
+          else
+            echo "No lockfile — generating package-lock.json"
+            npm install --package-lock-only --ignore-scripts
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git add package-lock.json
+            git commit -m "chore: add package-lock.json (generated by CI)" || echo "no changes to commit"
+            git push origin HEAD:${{ github.ref_name }}
+            npm ci
+          fi
+      
+      - run: npm run build --if-present
+      - run: npm test --if-present
+      - run: npm publish
+        if: startsWith(github.ref, 'refs/tags/v')