diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..4f0cdf0
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,29 @@
+name: CI
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: '20.x'
+        registry-url: 'https://npm.pkg.github.com'
+    - name: Install
+      run: npm install
+    - name: Test
+      run: npm test --forbid-only
+    - name: Release
+      if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+      run: ./release.sh
+      env:
+        NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
deleted file mode 100644
index 8775feb..0000000
--- a/.github/workflows/publish.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-name: Publish
-
-on:
-  push:
-    tags:
-    - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-node@v3
-      with:
-        node-version: '18.x'
-        registry-url: 'https://npm.pkg.github.com'
-    - name: Install
-      # Skip post-install to avoid malicious scripts stealing PAT
-      run: npm install --ignore-script
-      env:
-        # GITHUB_TOKEN can't access packages hosted in private repos,
-        # even within the same organisation
-        NODE_AUTH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
-    - name: Post-install
-      run: npm rebuild && npm run prepare --if-present
-    - name: Publish
-      run: npm publish
-      env:
-        NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
deleted file mode 100644
index a0d4684..0000000
--- a/.github/workflows/test.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-name: Test
-
-on:
-  push:
-    branches:
-    - main
-  pull_request:
-    branches:
-    - main
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        # Use PAT instead of default Github token, because the default
-        # token deliberately will not trigger another workflow run
-        token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
-    - uses: actions/setup-node@v3
-      with:
-        node-version: '18.x'
-        registry-url: 'https://npm.pkg.github.com'
-    - name: Install
-      # Skip post-install to avoid malicious scripts stealing PAT
-      run: npm install --ignore-script
-      env:
-        # GITHUB_TOKEN can't access packages hosted in private repos,
-        # even within the same organisation
-        NODE_AUTH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
-    - name: Post-install
-      run: npm rebuild && npm run prepare --if-present
-    - name: Test
-      run: npm test --forbid-only
-    - name: Tag
-      if: ${{ github.ref == 'refs/heads/main' }}
-      run: ./tag.sh
diff --git a/tag.sh b/release.sh
similarity index 97%
rename from tag.sh
rename to release.sh
index 8444f76..d4cf8da 100755
--- a/tag.sh
+++ b/release.sh
@@ -20,3 +20,5 @@ echo '!/lib' >> .gitignore
 
 git tag $VERSION
 git push origin refs/tags/$VERSION
+
+npm publish