diff --git a/.github/workflows/publish-on-semrel.yml b/.github/workflows/publish-on-semrel.yml
new file mode 100644
index 0000000..8a5553f
--- /dev/null
+++ b/.github/workflows/publish-on-semrel.yml
@@ -0,0 +1,101 @@
+name: publish-on-semrel
+on:
+  workflow_run:
+    workflows: ["semantic-release"]
+    types: [completed]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag a publicar (p.ej. v0.4.35). Vacío = último release"
+        required: false
+        default: ""
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+concurrency:
+  group: publish-${{ github.event_name }}-${{ github.run_id }}
+  cancel-in-progress: false
+jobs:
+  publish:
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success') }}
+    runs-on: ubuntu-latest
+    environment: pypi
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Obtener tag del último release
+      - uses: actions/github-script@v7
+        id: latest
+        with:
+          script: |
+            const { data } = await github.repos.getLatestRelease({ owner: context.repo.owner, repo: context.repo.repo });
+            core.setOutput('tag', data.tag_name);
+
+      - name: Resolver TAG de publicación
+        id: tag
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]] && [[ -n "${{ github.event.inputs.tag }}" ]]; then
+            TAG="${{ github.event.inputs.tag }}"
+          else
+            TAG="${{ steps.latest.outputs.tag }}"
+          fi
+          echo "TAG=$TAG" >> "$GITHUB_ENV"
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "Publicando tag: $TAG"
+
+      - name: Sincronizar version de pyproject.toml con TAG
+        shell: bash
+        run: |
+          python - <<'PY'
+          import os, re, pathlib
+          tag = os.environ["TAG"].lstrip('v')
+          p = pathlib.Path("pyproject.toml")
+          t = p.read_text()
+          t = re.sub(r'(?m)^(\s*version\s*=\s*")\d+\.\d+\.\d+(")', rf"\1{tag}\2", t)
+          p.write_text(t)
+          print("Set version ->", tag)
+          PY
+
+      # Build & push GHCR
+      - name: Set IMAGE
+        run: echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> "$GITHUB_ENV"
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build & Push container
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: true
+          provenance: false
+          tags: ${{ env.IMAGE }}:${{ steps.tag.outputs.tag }},${{ env.IMAGE }}:latest
+
+      # Build & publish PyPI (OIDC)
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Build sdist/wheel
+        run: |
+          python -m pip install -U pip build
+          python -m build
+
+      - name: Publish to PyPI (Trusted Publisher)
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true
+          verbose: true
+        env:
+          PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring