diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..5a64108
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,77 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          cache: gradle
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+
+      # Decode the base64-encoded keystore stored in GitHub Secrets and write it
+      # to a file that Gradle can reference during the signing step.
+      - name: Decode keystore
+        run: |
+          echo "${{ secrets.KEYSTORE_FILE }}" | base64 --decode > ${{ github.workspace }}/release.jks
+          chmod 600 ${{ github.workspace }}/release.jks
+
+      # Write keystore.properties so that app/build.gradle.kts can pick up
+      # all signing credentials at build time (mirrors keystore.properties.template).
+      - name: Write keystore.properties
+        run: |
+          cat > ${{ github.workspace }}/keystore.properties <<EOF
+          storeFile=${{ github.workspace }}/release.jks
+          storePassword=${{ secrets.KEYSTORE_PASSWORD }}
+          keyAlias=${{ secrets.KEY_ALIAS }}
+          keyPassword=${{ secrets.KEY_PASSWORD }}
+          EOF
+          chmod 600 ${{ github.workspace }}/keystore.properties
+
+      - name: Run unit tests
+        run: ./gradlew test
+
+      - name: Build signed release AAB
+        run: ./gradlew bundleRelease
+
+      - name: Upload AAB artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-release
+          path: app/build/outputs/bundle/release/app-release.aab
+          if-no-files-found: error
+          retention-days: 7
+
+      # Creates a GitHub Release and attaches the signed AAB.
+      # The release name and body are derived from the pushed tag automatically.
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: app/build/outputs/bundle/release/app-release.aab
+
+      # Uploads the signed AAB to the Internal testing track of the Play Store.
+      # Change 'track' to 'production' when you are ready for full rollout.
+      - name: Upload to Google Play (Internal track)
+        uses: r0adkll/upload-google-play@v1
+        with:
+          serviceAccountJsonPlainText: ${{ secrets.SERVICE_ACCOUNT_JSON }}
+          packageName: fr.benju.tasks
+          releaseFiles: app/build/outputs/bundle/release/app-release.aab
+          track: internal