diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..41c2e71
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,123 @@
+name: Release
+
+on:
+  push:
+    tags:
+      # For root tags, such as v0.4.2
+      - "v[0-9]+.[0-9]+.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+      # For subfolder tags, such as workflow-engine-v1.18.0
+      #- "[a-zA-Z-_]+v[0-9]+.[0-9]+.[0-9]+"
+      #- "[a-zA-Z-_]+v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+      - "ci-testing[a-zA-Z]+"
+jobs:
+  build:
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    strategy:
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            asset_name: ${{ github.event.repository.name }}-linux-amd64-latest
+          - platform: linux/arm64
+            runner: arm-ubuntu-latest-8core
+            asset_name: ${{ github.event.repository.name }}-linux-aarch64-latest
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+    - name: Set up Rust
+      uses: famedly/backend-build-workflows/.github/actions/rust-prepare@main
+      with:
+        gitlab_ssh: ${{ secrets.CI_SSH_PRIVATE_KEY}}
+        gitlab_user: ${{ secrets.GITLAB_USER }}
+        gitlab_pass: ${{ secrets.GITLAB_PASS }}
+
+    - name: Caching
+      uses: Swatinem/rust-cache@b8a6852b4f997182bdea832df3f9e153038b5191
+      with:
+        cache-on-failure: true
+        cache-all-crates: true
+
+    - name: Install additional cargo tooling
+      shell: bash
+      run: cargo install cargo-auditable --locked
+
+    - name: Build release
+      shell: bash
+      run: cargo auditable build --release
+
+    - name: Attest
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: '${{ github.workspace }}/target/release/${{ github.event.repository.name }}'
+
+    - name: Upload binary
+      uses: actions/upload-artifact@v4
+      with:
+        name: release-${{ matrix.asset_name }}
+        path: '${{ github.workspace }}/target/release/${{ github.event.repository.name }}'
+
+  sbom:
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+    - name: Set up Rust
+      uses: famedly/backend-build-workflows/.github/actions/rust-prepare@main
+      with:
+        gitlab_ssh: ${{ secrets.CI_SSH_PRIVATE_KEY}}
+        gitlab_user: ${{ secrets.GITLAB_USER }}
+        gitlab_pass: ${{ secrets.GITLAB_PASS }}
+
+    - name: Caching
+      uses: Swatinem/rust-cache@b8a6852b4f997182bdea832df3f9e153038b5191
+      with:
+        cache-on-failure: true
+        cache-all-crates: true
+
+    - name: Install additional cargo tooling
+      shell: bash
+      run: cargo install cargo-sbom --locked
+
+    - name: Generate SBOM
+      shell: bash
+      run: cargo sbom > sbom.spdx.json
+
+    - name: Attest
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: '${{ github.workspace }}/sbom.spdx.json'
+
+    - name: Upload SBOM
+      uses: actions/upload-artifact@v4
+      with:
+        name: release-sbom-spdx
+        path: '${{ github.workspace }}/sbom.spdx.json'
+
+  release:
+    runs-on: ubuntu-latest
+    needs: [build, sbom]
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: release-*
+          path: artifacts
+          merge-multiple: true
+
+      - name: Create release
+        uses: softprops/action-gh-release@79721680dfc87fb0f44dfe65df68961056d55c38
+        with:
+          files: artifacts/*
+
+