diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/ci-actions.yaml
similarity index 100%
rename from .github/workflows/zizmor.yaml
rename to .github/workflows/ci-actions.yaml
diff --git a/.github/workflows/check.yaml b/.github/workflows/ci-code.yaml
similarity index 100%
rename from .github/workflows/check.yaml
rename to .github/workflows/ci-code.yaml
diff --git a/.github/workflows/release-assets.yaml b/.github/workflows/release-assets.yaml
new file mode 100644
index 0000000..e7fe9f6
--- /dev/null
+++ b/.github/workflows/release-assets.yaml
@@ -0,0 +1,42 @@
+name: release assets
+
+on:
+  release:
+    types:
+    - created
+
+permissions:
+  contents: read
+
+jobs:
+  assets:
+    name: assets
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - name: checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      with:
+        persist-credentials: false
+
+    - name: 'install nightly rust toolchain'
+      run: |
+        rustup update --no-self-update nightly
+        rustup default nightly
+
+    - name: 'assemble release artifacts'
+      run: ./hack/assemble.sh
+
+    - name: 'upload release artifacts'
+      run: ./hack/ci/upload-release-assets.sh "${{ github.event.release.tag_name }}"
+      env:
+        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      if: ${{ github.event_name == 'release' }}
diff --git a/hack/assemble.sh b/hack/assemble.sh
new file mode 100755
index 0000000..e41cb3e
--- /dev/null
+++ b/hack/assemble.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+cd "$(dirname "${0}")/.." || exit 1
+
+. "hack/common.sh"
+
+mkdir -p "${ASSEMBLE_DIR}"
+
+build_arch() {
+  ARCHITECTURE="${1}"
+  TARGET_ARCH="${ARCHITECTURE}" ./hack/build.sh
+  cp "target/final/${ARCHITECTURE}/sprout.efi" "${ASSEMBLE_DIR}/sprout-${ARCHITECTURE}.efi"
+}
+
+build_arch x86_64
+build_arch aarch64
diff --git a/hack/build.sh b/hack/build.sh
new file mode 100755
index 0000000..3344425
--- /dev/null
+++ b/hack/build.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+cd "$(dirname "${0}")/.." || exit 1
+
+. "hack/common.sh"
+
+mkdir -p "${FINAL_DIR}"
+
+cargo build --target "${RUST_TARGET}" --profile "${RUST_PROFILE}" --bin sprout
+cp "target/${RUST_TARGET}/${RUST_TARGET_SUBDIR}/sprout.efi" "${FINAL_DIR}/sprout.efi"
diff --git a/hack/ci/upload-release-assets.sh b/hack/ci/upload-release-assets.sh
new file mode 100755
index 0000000..6909705
--- /dev/null
+++ b/hack/ci/upload-release-assets.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+retry() {
+  for i in $(seq 1 10); do
+    if "${@}"; then
+      return 0
+    else
+      sleep "${i}"
+    fi
+  done
+  "${@}"
+}
+
+TAG="${1}"
+shift
+
+cd target/assemble
+
+retry gh release upload "${TAG}" --clobber ./*
diff --git a/hack/common.sh b/hack/common.sh
index 0a165e4..f1b21f1 100644
--- a/hack/common.sh
+++ b/hack/common.sh
@@ -20,7 +20,7 @@ HOST_ARCH="$(uname -m)"
 [ "${TARGET_ARCH}" = "amd64" ] && TARGET_ARCH="x86_64"
 
 if [ "${TARGET_ARCH}" != "x86_64" ] && [ "${TARGET_ARCH}" != "aarch64" ]; then
-	echo "Unsupported Architecture: ${TARGET_ARCH}" >/dev/stderr
+	echo "Unsupported architecture: ${TARGET_ARCH}" >/dev/stderr
 	exit 1
 fi
 
@@ -34,6 +34,7 @@ RUST_TARGET="${TARGET_ARCH}-unknown-uefi"
 [ -z "${DOCKER_TAG}" ] && DOCKER_TAG="${DEFAULT_DOCKER_TAG}"
 DOCKER_TARGET="linux/${TARGET_ARCH}"
 FINAL_DIR="target/final/${TARGET_ARCH}"
+ASSEMBLE_DIR="target/assemble"
 
 if [ -z "${QEMU_ACCEL}" ] && [ "${TARGET_ARCH}" = "${HOST_ARCH}" ] &&
 	[ -f "/proc/cpuinfo" ] &&