diff --git a/.github/workflows/production-release.yaml b/.github/workflows/production-release.yaml
new file mode 100644
index 00000000..18349196
--- /dev/null
+++ b/.github/workflows/production-release.yaml
@@ -0,0 +1,172 @@
+name: Production Release
+
+on:
+  workflow_dispatch:
+
+concurrency: production-release-main
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build and test (production)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: main
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - name: Setup fontspector
+        uses: fonttools/setup-fontspector@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install toolset
+        run: |
+          sudo apt-get update
+          sudo apt-get install ttfautohint libcairo2-dev python3-cairo-dev pkg-config python3-dev
+          sudo snap install yq
+      - uses: actions/cache@v4
+        with:
+          path: ./venv/
+          key: ${{ runner.os }}-venv-${{ hashFiles('**/requirements*.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-venv-
+      - name: Set artifact file name
+        id: zip-name
+        shell: bash
+        # Set the archive name to repo name + "-fonts" e.g "radiocanadafonts-fonts.zip"
+        run: echo "ZIP_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')-fonts" >> $GITHUB_ENV
+      - name: Build font
+        run: make build
+      - name: Check with fontspector
+        run: make test
+        continue-on-error: true
+      - name: Generate proofs
+        run: make proof
+      - name: Set up test result site
+        run: cp scripts/index.html out/index.html
+      - name: Archive artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ZIP_NAME }}
+          path: |
+            fonts
+            out
+      - name: Archive npm release artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: geist-font-fonts-npm
+          path: |
+            geist-font.zip
+            packages/next/dist/fonts
+    outputs:
+      zip_name: ${{ env.ZIP_NAME }}
+
+  release:
+    name: Production release
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Download font artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: geist-font-fonts-npm
+          path: ./artifacts
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+
+      # Hardcoded because we know it works, it would be fine to try to upgrade
+      - name: 'Install corepack@0.31'
+        shell: bash
+        run: |
+          npm install -g corepack@0.31
+          echo "corepack version after: $(corepack --version)"
+
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Configure npm auth
+        run: npm config set //registry.npmjs.org/:_authToken="${NPM_TOKEN}"
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }}
+
+      - name: Install dependencies
+        working-directory: packages/next
+        run: pnpm install --frozen-lockfile
+
+      - name: Ensure changeset exists
+        run: |
+          if ! find packages/next/.changeset -maxdepth 1 -type f -name "*.md" ! -name "README.md" | grep -q .; then
+            echo "No changesets found in packages/next/.changeset. Add one before running a production release."
+            exit 1
+          fi
+
+      - name: Ensure prerelease mode is not enabled
+        run: |
+          if [ -f packages/next/.changeset/pre.json ]; then
+            echo "Changesets prerelease mode is enabled (packages/next/.changeset/pre.json). Exit prerelease mode before a production release."
+            exit 1
+          fi
+
+      - name: Move the font files for npm from build artifacts to the npm package
+        run: |
+          rm -rf packages/next/dist/fonts
+          mv artifacts/packages/next/dist/fonts packages/next/dist/fonts
+
+      - name: Version packages
+        working-directory: packages/next
+        run: pnpm changeset version
+
+      - name: Commit version changes
+        run: |
+          if git diff --quiet; then
+            echo "No version changes to commit."
+            exit 0
+          fi
+
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+
+          git checkout -B main
+          git add -A
+          if git diff --cached --quiet; then
+            echo "Nothing staged."
+            exit 0
+          fi
+          git commit -m "chore: version packages for production release"
+          git push origin "HEAD:main"
+
+      - name: Publish production
+        working-directory: packages/next
+        run: pnpm changeset publish
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Upload the built font zip to the GitHub release for the published npm package.
+      - name: Upload font zip to GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          VERSION=$(jq -r '.version' packages/next/package.json)
+          TAG="geist@$VERSION"
+
+          if ! gh release view "$TAG" >/dev/null 2>&1; then
+            gh release create "$TAG" --title "$TAG" --notes "Production release for $TAG"
+          fi
+
+          mv artifacts/geist-font.zip "geist-font-v$VERSION.zip"
+          gh release upload "$TAG" "geist-font-v$VERSION.zip" --clobber