diff --git a/.github/MAINTENANCE.md b/.github/MAINTENANCE.md
new file mode 100644
index 0000000..4ca916d
--- /dev/null
+++ b/.github/MAINTENANCE.md
@@ -0,0 +1,10 @@
+This document explains how to perform the project's maintenance tasks.
+
+### Creating a new release
+
+Anyone with write access to the repository can request a new release. To do so, follow these steps:
+
+1. Run `pnpm version <patch|minor|major>` locally to bump the version number and create a new commit / tag.
+2. Push the commit and tag to the repository by running `git push --follow-tags`.
+3. The release will be automatically published to npm by GitHub Actions once approved by an administrator.
+4. Go to <https://github.com/vuejs/eslint-config-typescript/releases/new> and create a new release with the tag that was just created. Describe the notable changes in the release notes.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..9c8ed19
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,25 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
+jobs:
+  release:
+    # Use Publish environment for deployment protection
+    environment: Publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+          registry-url: 'https://registry.npmjs.org'
+      - run: pnpm install
+      - run: pnpm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/package.json b/package.json
index e3abfb1..12368b5 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,8 @@
     "prepublishOnly": "pkgroll --clean-dist"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "type": "git",