diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..24511b2
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,48 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+
+      - run: npm install
+      - run: npm run build
+      - run: npm test
+      - run: npm run lint
+      - run: npm run typecheck
+
+      - name: Smoke test from tarball
+        run: |
+          npm pack
+          mkdir /tmp/smoke
+          cd /tmp/smoke
+          npm init -y
+          npm install $GITHUB_WORKSPACE/tripwire-mcp-tripwire-*.tgz
+          npx tripwire --version
+          npx tripwire --help
+
+      - name: Verify version matches release tag
+        run: |
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          TAG="${GITHUB_REF_NAME#v}"
+          if [ "$PKG_VERSION" != "$TAG" ]; then
+            echo "FAIL: package.json version ($PKG_VERSION) != release tag ($TAG)"
+            exit 1
+          fi
+
+      - run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}