diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a13f992..329239e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -165,3 +165,97 @@ jobs:
       - name: Build packages
         run: pnpm build
 
+  publish:
+    name: Publish
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Cache tree-sitter CLI
+        id: cache-tree-sitter
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: ~/.local/bin/tree-sitter
+          key: tree-sitter-${{ env.TREE_SITTER_VERSION }}-linux-x64
+
+      - name: Install tree-sitter CLI
+        if: steps.cache-tree-sitter.outputs.cache-hit != 'true'
+        run: |
+          mkdir -p ~/.local/bin
+          curl -sSL "https://github.com/tree-sitter/tree-sitter/releases/download/v${TREE_SITTER_VERSION}/tree-sitter-linux-x64.gz" \
+            | gunzip > ~/.local/bin/tree-sitter
+          chmod +x ~/.local/bin/tree-sitter
+
+      - name: Add tree-sitter to PATH
+        run: echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build packages
+        run: pnpm build
+
+      - name: Publish packages with version bumps
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          for dir in packages/*/; do
+            pkg_json="${dir}package.json"
+
+            # Skip private packages
+            is_private=$(jq -r '.private // false' "$pkg_json")
+            if [ "$is_private" = "true" ]; then
+              echo "Skipping private package: $dir"
+              continue
+            fi
+
+            # Get the current package name and version
+            current_name=$(jq -r '.name' "$pkg_json")
+            current_version=$(jq -r '.version' "$pkg_json")
+
+            # Derive the publish name: @agentscript/foo -> @agentforce/agentscript-foo
+            short_name="${current_name#@agentscript/}"
+            publish_name="@agentforce/agentscript-${short_name}"
+
+            # Check if this version is already published
+            published_version=$(npm view "${publish_name}@${current_version}" version 2>/dev/null || echo "")
+
+            if [ "$published_version" = "$current_version" ]; then
+              echo "Already published: ${publish_name}@${current_version}"
+              continue
+            fi
+
+            echo "Publishing ${publish_name}@${current_version}..."
+
+            # Temporarily set the publish name in package.json
+            jq --arg name "$publish_name" '.name = $name' "$pkg_json" > "${pkg_json}.tmp"
+            mv "${pkg_json}.tmp" "$pkg_json"
+
+            # Publish with public access (required for scoped packages)
+            (cd "$dir" && npm publish --access public --provenance)
+
+            # Restore original name
+            jq --arg name "$current_name" '.name = $name' "$pkg_json" > "${pkg_json}.tmp"
+            mv "${pkg_json}.tmp" "$pkg_json"
+
+            echo "Published ${publish_name}@${current_version}"
+          done
+