diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..15341b7
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,44 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - v*.*.*
+
+concurrency:
+  group: publish
+  cancel-in-progress: false
+
+# configured as trusted publisher (OIDC)
+# https://docs.npmjs.com/trusted-publishers
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  NX_NON_NATIVE_HASHER: true
+
+jobs:
+  publish:
+    name: Publish packages
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - name: Clone the repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Configure Git user
+        # https://github.com/actions/checkout/blob/main/README.md#push-a-commit-using-the-built-in-token
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .node-version
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Publish packages to npm
+        run: npx nx release publish
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..0187f56
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,53 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    name: Version and release
+    runs-on: ubuntu-latest
+    environment: release
+    env:
+      NX_NON_NATIVE_HASHER: true
+    steps:
+      - name: Authenticate as "Code PushUp Bot" GitHub App
+        uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: Fetch GitHub App's user ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - name: Configure Git user
+        run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+      - name: Clone the repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .node-version
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Version, release and generate changelog
+        run: npx nx release --skip-publish
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}