diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a0ebb28..a1c20aa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -92,3 +92,51 @@ jobs:
           name: ${{ steps.tag.outputs.value }}
           body_path: release_notes.md
           generate_release_notes: true
+
+  publish-npm:
+    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.tag || github.ref }}
+
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm run build
+
+      # Enforces unified workspace versioning — every packages/*/package.json must match the tag.
+      - name: Verify workspace versions match tag
+        shell: bash
+        run: |
+          TAG="${{ github.event.inputs.tag || github.ref_name }}"
+          EXPECTED="${TAG#v}"
+          FAIL=0
+          for p in packages/*/package.json; do
+            V=$(node -p "require('./$p').version")
+            N=$(node -p "require('./$p').name")
+            if [[ "$V" != "$EXPECTED" ]]; then
+              echo "::error::$N version $V does not match tag $EXPECTED"
+              FAIL=1
+            fi
+          done
+          if [[ $FAIL -ne 0 ]]; then exit 1; fi
+
+      - name: Publish to npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: pnpm -r publish --access public --no-git-checks --provenance