diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..9c4c00b
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,31 @@
+name: Release
+
+permissions:
+  contents: write
+
+on:
+  push:
+    tags:
+      - 'v*.*.**'
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  deb-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          target: x86_64-unknown-linux-musl
+      - uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-deb
+      - run: cargo deb --target x86_64-unknown-linux-musl
+      - uses: softprops/action-gh-release@v1
+        with:
+          files: target/x86_64-unknown-linux-musl/debian/shh_*.deb
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/README.md b/README.md
index dee405e..9367b96 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,9 @@
 
 Automatic [systemd](https://systemd.io/) service hardening guided by [strace](https://strace.io/) profiling.
 
-## Installation from source
+## Installation
+
+### From source
 
 You need a Rust build environment for example from [rustup](https://rustup.rs/).
 
@@ -11,6 +13,10 @@ cargo build --release
 install -Dm 755 -t /usr/local/bin target/release/shh
 ```
 
+### Debian
+
+See [GitHub releases](https://github.com/synacktiv/shh/releases) for Debian packages built for each tagged version.
+
 ## Usage
 
 To harden a system unit named `SERVICE.service`: