diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
new file mode 100644
index 00000000..dbf7a9a8
--- /dev/null
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,79 @@
+name: release
+
+# Builds and deploys the production environment on `v*` tag push.
+# Runs on the self-hosted runner via Docker-out-of-Docker; images are
+# tagged with the actual git tag (e.g. v1.0.0) so rollback is
+#   `TAG=<previous> docker compose -f docker-compose.prod.yml -p archiv-production up -d --wait`
+#
+# Production environment:
+#   - project name: archiv-production
+#   - host ports:   backend 8080, frontend 3000
+#   - profile:      (none) — mailpit is excluded; real SMTP relay is used
+#
+# Required Gitea secrets:
+#   PROD_POSTGRES_PASSWORD
+#   PROD_MINIO_PASSWORD
+#   PROD_MINIO_APP_PASSWORD
+#   PROD_OCR_TRAINING_TOKEN
+#   PROD_APP_ADMIN_USERNAME       (CRITICAL: see docs/DEPLOYMENT.md)
+#   PROD_APP_ADMIN_PASSWORD       (CRITICAL: locked in on first deploy)
+#   MAIL_HOST
+#   MAIL_PORT
+#   MAIL_USERNAME
+#   MAIL_PASSWORD
+
+on:
+  push:
+    tags:
+      - "v*"
+
+env:
+  DOCKER_BUILDKIT: "1"
+
+jobs:
+  deploy-production:
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Write production env file
+        run: |
+          cat > .env.production <<EOF
+          TAG=${{ gitea.ref_name }}
+          PORT_BACKEND=8080
+          PORT_FRONTEND=3000
+          APP_DOMAIN=archiv.raddatz.cloud
+          POSTGRES_PASSWORD=${{ secrets.PROD_POSTGRES_PASSWORD }}
+          MINIO_PASSWORD=${{ secrets.PROD_MINIO_PASSWORD }}
+          MINIO_APP_PASSWORD=${{ secrets.PROD_MINIO_APP_PASSWORD }}
+          OCR_TRAINING_TOKEN=${{ secrets.PROD_OCR_TRAINING_TOKEN }}
+          APP_ADMIN_USERNAME=${{ secrets.PROD_APP_ADMIN_USERNAME }}
+          APP_ADMIN_PASSWORD=${{ secrets.PROD_APP_ADMIN_PASSWORD }}
+          MAIL_HOST=${{ secrets.MAIL_HOST }}
+          MAIL_PORT=${{ secrets.MAIL_PORT }}
+          MAIL_USERNAME=${{ secrets.MAIL_USERNAME }}
+          MAIL_PASSWORD=${{ secrets.MAIL_PASSWORD }}
+          MAIL_SMTP_AUTH=true
+          MAIL_STARTTLS_ENABLE=true
+          APP_MAIL_FROM=noreply@raddatz.cloud
+          EOF
+
+      - name: Build images
+        run: |
+          docker compose \
+            -f docker-compose.prod.yml \
+            -p archiv-production \
+            --env-file .env.production \
+            build
+
+      - name: Deploy production
+        run: |
+          docker compose \
+            -f docker-compose.prod.yml \
+            -p archiv-production \
+            --env-file .env.production \
+            up -d --wait --remove-orphans
+
+      - name: Cleanup env file
+        if: always()
+        run: rm -f .env.production