diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
new file mode 100644
index 0000000..d0a9145
--- /dev/null
+++ b/.github/CONTRIBUTING.md
@@ -0,0 +1,8 @@
+# Contributing
+
+## Releasing
+
+From a clean working copy, run `npm version major|minor|patch|VERSION`.
+This will bump the package version, commit, tag, and push.
+The tag-push event triggers the release workflow on GitHub.
+The workflow creates a GitHub Release from the tag and publishes to npm.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..95e928c
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,37 @@
+name: Release
+on:
+  push: { tags: "v[0-9]+.[0-9]+.[0-9]+*" }
+
+permissions: {}
+jobs:
+  github:
+    permissions: { contents: write }
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with: { egress-policy: audit }
+      - uses: actions/checkout@v4
+      # TODO exit this job differently than success if release already exists
+      - name: gh release create
+        run: |
+          # shellcheck disable=SC2086
+          gh release view $tag || \
+            gh release create ${tag/*-*/"$tag" --prerelease} --generate-notes
+        env:
+          GH_TOKEN: ${{ github.token }}
+          tag: ${{ github.ref_name }}
+
+  npm:
+    permissions: { id-token: write }
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with: { egress-policy: audit }
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          registry-url: https://registry.npmjs.org
+      - run: npm ci
+      - run: npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/package.json b/package.json
index 7048995..f6388c4 100644
--- a/package.json
+++ b/package.json
@@ -7,7 +7,7 @@
   "author": "Zoltán Tömböl (https://github.com/ztombol)",
   "contributors": [
     "Sam Stephenson <sstephenson@gmail.com> (http://sstephenson.us/)",
-    "Jason Karns <jason.karns@gmail.com> (http://jason.karns.name)",
+    "Jason Karns <jason.karns@gmail.com> (http://jasonkarns.com)",
     "Mislav Marohnić <mislav.marohnic@gmail.com> (http://mislav.net/)",
     "Tim Pope (https://github.com/tpope)"
   ],
@@ -23,9 +23,7 @@
   ],
   "scripts": {
     "test": "bats ${CI+-t} test",
-    "postversion": "npm publish",
-    "prepublishOnly": "npm run publish:github",
-    "publish:github": "git push --follow-tags"
+    "postversion": "git push --follow-tags"
   },
   "devDependencies": {
     "bats": "^1",