diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
new file mode 100644
index 0000000..4db084d
--- /dev/null
+++ b/.gitea/workflows/release.yaml
@@ -0,0 +1,69 @@
+# Release: on a version tag, build the static Linux binary (D2) and publish it
+# to a Gitea release with a checksum. Runs in the same prebuilt CI image as the
+# gate, so the pinned toolchain + musl target/cc are already warm.
+#
+# Scope: x86_64-unknown-linux-musl only, for now. The rest of the D1 matrix
+# (aarch64, macOS, Windows) and the D3 package-manager manifests layer on later,
+# step by step.
+#
+# Correctness comes from the branch gate (clippy + test) that ran when the
+# tagged commit was pushed; this job builds + publishes, it does not re-test.
+name: release
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    runs-on: ci-public
+    container:
+      image: git.lazyeval.net/oli/rdbms-playground-ci:latest
+    env:
+      TARGET: x86_64-unknown-linux-musl
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: build static binary
+        run: nix develop -c cargo build --release --target "$TARGET"
+
+      - name: package artifacts
+        run: |
+          set -euo pipefail
+          BIN="target/$TARGET/release/rdbms-playground"
+          file "$BIN"
+          OUT="rdbms-playground-${{ github.ref_name }}-$TARGET"
+          mkdir -p dist
+          cp "$BIN" "dist/$OUT"
+          ( cd dist && sha256sum "$OUT" > "$OUT.sha256" )
+          ls -l dist
+
+      - name: publish gitea release + assets
+        env:
+          # Auto-provided by Gitea Actions; has repo write (release) scope.
+          TOKEN: ${{ secrets.GITEA_TOKEN }}
+          API: ${{ github.server_url }}/api/v1
+          REPO: ${{ github.repository }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          # Create the release for this tag; if it already exists, look it up.
+          created=$(curl -sS -X POST "$API/repos/$REPO/releases" \
+            -H "Authorization: token $TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{\"tag_name\":\"$TAG\",\"name\":\"$TAG\",\"body\":\"Automated release for $TAG.\"}")
+          id=$(printf '%s' "$created" | node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{try{const o=JSON.parse(s);process.stdout.write(String(o.id||""))}catch(e){}})')
+          if [ -z "$id" ]; then
+            id=$(curl -sS "$API/repos/$REPO/releases/tags/$TAG" \
+              -H "Authorization: token $TOKEN" \
+              | node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{process.stdout.write(String(JSON.parse(s).id))})')
+          fi
+          echo "release id: $id"
+          for f in dist/*; do
+            name=$(basename "$f")
+            echo "uploading $name"
+            curl -sS -X POST "$API/repos/$REPO/releases/$id/assets?name=$name" \
+              -H "Authorization: token $TOKEN" \
+              -F "attachment=@$f" > /dev/null
+          done
+          echo "published $TAG"