diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..e0346db
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,85 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+concurrency:
+  group: publish-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Extract package info
+        id: pkg-info
+        run: |
+          PKG_NAME=$(node -p "require('./package.json').name")
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          echo "name=$PKG_NAME" >> $GITHUB_OUTPUT
+          echo "version=$PKG_VERSION" >> $GITHUB_OUTPUT
+          echo "Extracted: $PKG_NAME@$PKG_VERSION"
+
+      - name: Use Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Run tests
+        run: npm test
+
+      - name: Check if package already published
+        id: check
+        env:
+          PKG_NAME: ${{ steps.pkg-info.outputs.name }}
+          PKG_VERSION: ${{ steps.pkg-info.outputs.version }}
+        run: |
+          if npm view "$PKG_NAME@$PKG_VERSION" version >/dev/null 2>&1; then
+            echo "already=true" >> $GITHUB_OUTPUT
+            echo "Package $PKG_NAME@$PKG_VERSION already exists on npm, skipping publish"
+          else
+            echo "already=false" >> $GITHUB_OUTPUT
+            echo "Package $PKG_NAME@$PKG_VERSION not found on npm, will publish"
+          fi
+
+      - name: Verify release tag matches package.json version
+        if: steps.check.outputs.already == 'false' && github.event_name == 'release'
+        env:
+          PKG_VERSION: ${{ steps.pkg-info.outputs.version }}
+        run: |
+          RELEASE_TAG="${{ github.event.release.tag_name }}"
+          TAG_VERSION=${RELEASE_TAG#v}
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "❌ Release tag $RELEASE_TAG does not match package.json version $PKG_VERSION"
+            exit 1
+          fi
+          echo "✅ Release tag $RELEASE_TAG matches package.json version $PKG_VERSION"
+
+      - name: Publish to npm
+        if: steps.check.outputs.already == 'false'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
+          PKG_NAME: ${{ steps.pkg-info.outputs.name }}
+          PKG_VERSION: ${{ steps.pkg-info.outputs.version }}
+        run: |
+          echo "Publishing $PKG_NAME@$PKG_VERSION to npm..."
+          npm publish --access public --provenance
+          echo "Successfully published to npm"