diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..b12e35d
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,23 @@
+# Run the release flow
+# Keep in sync with try-release.yml
+
+name: Run release
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 1.21
+      - run: ./build-release.sh
+      - name: upload
+        uses: actions/upload-artifact@v4
+        with:
+          path: "build/*.zip"
+          if-no-files-found: error
diff --git a/.github/workflows/try-release.yml b/.github/workflows/try-release.yml
new file mode 100644
index 0000000..c6d2837
--- /dev/null
+++ b/.github/workflows/try-release.yml
@@ -0,0 +1,19 @@
+# Try the release flow to ensure it works
+# Keep in sync with release.yml
+
+name: Try release
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  try-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 1.21
+      - run: ./build-release.sh
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..84c048a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/build/
diff --git a/build-release.sh b/build-release.sh
new file mode 100755
index 0000000..19d8541
--- /dev/null
+++ b/build-release.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+set -euxo pipefail
+
+# Build the pair of zip files to upload to lambda
+
+mkdir -p build
+DIR=$(mktemp -d "build/build-$(git rev-parse --short HEAD)-XXXXXX")
+echo "Building in $DIR"
+
+# Churner is just a binary
+mkdir -p "$DIR/churner"
+go build -o "$DIR/churner/bootstrap" lambda/churner/churner.go
+# zip
+pushd "$DIR/churner"
+zip churner.zip bootstrap
+popd
+cp "$DIR/churner/churner.zip" build/churner.zip
+
+
+# Checker binary and certs
+mkdir -p "$DIR/checker"
+go build -o "$DIR/checker/bootstrap" lambda/checker/checker.go
+
+# Include all the issuers
+# TODO(#23): Don't bake these into the release
+cp checker/testdata/*.pem "$DIR/checker/"
+
+# zip
+pushd "$DIR/checker"
+zip checker.zip bootstrap ./*.pem
+popd
+cp "$DIR/checker/checker.zip" build/checker.zip
+
+echo "built: build/churner.zip build/checker.zip"