diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000..4998c5bd
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,55 @@
+name: Release
+
+on:
+    push:
+      tags:
+        - '*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/vanilla-os/pico:main
+      volumes:
+        - /proc:/proc
+        - /:/run/host
+      options: --privileged -it
+    permissions:
+      contents: write # to create and upload assets to releases
+      attestations: write # to upload assets attestation for build provenance
+      id-token: write # grant additional permission to attestation action to mint the OIDC token permission
+
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: De-bloat stock image
+      run: |
+        rm -r /run/host/usr/share/dotnet
+        rm -r /run/host${{ runner.tool_cache }}
+
+    - name: Install needed packages
+      run: apt update && apt install debootstrap -y
+
+    - name: Build ISO
+      run: ./build.sh etc/terraform.conf
+
+    - uses: actions/upload-artifact@v4
+      with:
+        name: Vanilla OS 2 Orchid
+        path: builds/
+
+    - uses: softprops/action-gh-release@v2
+      with:
+        token: "${{ secrets.GITHUB_TOKEN }}"
+        tag_name: "${{ github.ref_name }}"
+        prerelease: true
+        generate_release_notes: false
+        name: "Vanilla OS ${{ github.ref_name }} Orchid"
+        files: |
+          builds/
+  
+    - name: Attest Release Files
+      id: attest
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: 'builds/'