diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
deleted file mode 100644
index 4f15517e2..000000000
--- a/.github/workflows/nix.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Nix
-
-on:
-  push:
-    branches:
-    - master
-  pull_request:
-    branches:
-    - master
-
-jobs:
-  test:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os:
-          - ubuntu-latest
-          - macos-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: cachix/install-nix-action@v23
-      with:
-        nix_path: nixpkgs=channel:nixos-unstable
-    - run: nix-build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 000000000..7af42899f
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,100 @@
+name: "Nix and release"
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - "v*"
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  nixBuild:
+    name: Build ${{ matrix.name }} binary
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            name: Linux (x86_64)
+            tuple: x86_64-linux
+          - os: macos-latest
+            name: macOS (x86_64)
+            tuple: x86_64-macos
+          - os: macos-latest-xlarge
+            name: macOS (aarch64)
+            tuple: aarch64-macos
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v6
+
+      - name: Configure Nix cache
+        if: runner.arch == 'X64'
+        # Unfortunately the action does not work on ARM runners
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Obtain version number
+        id: version
+        run: |
+          if [[ "$GIT_REF" =~ ^refs/tags/v.* ]]; then
+            echo "version=$(echo "$GIT_REF" | sed 's#^refs/tags/v##')" >> "$GITHUB_OUTPUT"
+          else
+            echo "version=HEAD-$(echo "$GIT_SHA" | cut -c1-7)" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GIT_REF: ${{ github.ref }}
+          GIT_SHA: ${{ github.sha }}
+
+      - name: Build dynamic echidna
+        run: |
+          nix build .#echidna
+
+      - name: Build redistributable echidna
+        run: |
+          nix build .#echidna-redistributable --out-link redistributable
+          tar -czf "echidna-${{ steps.version.outputs.version }}-${{ matrix.tuple }}.tar.gz" -C ./redistributable/bin/ echidna
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: echidna-redistributable
+          path: echidna-${{ steps.version.outputs.version }}-${{ matrix.tuple }}.tar.gz
+
+  release:
+    name: Create release
+    needs: [nixBuild]
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download binaries
+        uses: actions/download-artifact@v3
+        with:
+          name: echidna-redistributable
+
+      - name: Sign binaries
+        uses: sigstore/gh-action-sigstore-python@v2.1.0
+        with:
+          inputs: ./echidna-*.tar.gz
+
+      - name: Create GitHub release and upload binaries
+        uses: softprops/action-gh-release@v0.1.15
+        with:
+          draft: true
+          name: "Echidna ${{ needs.nixBuild.outputs.version }}"
+          files: |
+            ./echidna-*.tar.gz
+            ./echidna-*.tar.gz.sigstore