diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..5e73e66
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,55 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to release (semver, no leading v — e.g. 5.0.3)"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    environment: master
+    steps:
+      - name: Validate version
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$ ]]; then
+            echo "Version must be semver (e.g. 5.0.3 or 5.0.3-beta.1)"
+            exit 1
+          fi
+
+      - name: Mint App installation token
+        id: app-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          app-id: ${{ secrets.PACKAGIST_PUBLISHER_APP_ID }}
+          private-key: ${{ secrets.PACKAGIST_PUBLISHER_PRIVATE_KEY }}
+          permission-contents: write
+
+      - name: Create annotated tag on master HEAD
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          VERSION: ${{ inputs.version }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          SHA=$(gh api "repos/$REPO/commits/master" --jq .sha)
+          echo "Tagging $SHA as $VERSION"
+
+          TAG_OBJ=$(gh api -X POST "repos/$REPO/git/tags" \
+            -f tag="$VERSION" \
+            -f message="Release $VERSION" \
+            -f object="$SHA" \
+            -f type=commit \
+            --jq .sha)
+
+          gh api -X POST "repos/$REPO/git/refs" \
+            -f ref="refs/tags/$VERSION" \
+            -f sha="$TAG_OBJ"