diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 87b9786..6f317ed 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,9 +1,24 @@
 name: build
 on:
   push:
-    branches:
-      - main
+    # branches:
+    #   - main
+    tags:
+      - "v*.*.*"
 
+permissions:
+  actions: read
+  checks: read
+  contents: write
+  deployments: read
+  issues: read
+  discussions: read
+  packages: read
+  pull-requests: read
+  repository-projects: read
+  security-events: read
+  statuses: read
+      
 jobs:
   build:
     runs-on: macos-13
@@ -11,64 +26,85 @@ jobs:
       - uses: actions/checkout@v3
         name: Checkout
 
-      - name: Install go
-        run: |
-          brew install go
-          GO_BINARY=$(which go)
-          echo "GO_BINARY=$GO_BINARY" >> .xcode.env.local
+      # - name: Install go
+      #   run: |
+      #     brew install go
+      #     GO_BINARY=$(which go)
+      #     echo "GO_BINARY=$GO_BINARY" >> .xcode.env.local
 
-      - name: Select Xcode
-        run: sudo xcode-select -s "/Applications/Xcode_15.1.app"
+      # - name: Select Xcode
+      #   run: sudo xcode-select -s "/Applications/Xcode_15.1.app"
 
-      - name: Resolve dependencies
-        run: xcodebuild -resolvePackageDependencies
+      # - name: Resolve dependencies
+      #   run: xcodebuild -resolvePackageDependencies
 
-      - name: Config environment
-        run: |
-          SCHEME=$(xcodebuild -list -json | jq -r '.project.schemes[0]')
-
-          BUILD_SETTINGS=$(xcodebuild -scheme "$SCHEME" -showBuildSettings -json | jq -r '.[0].buildSettings')
-          FULL_PRODUCT_NAME=$(echo $BUILD_SETTINGS | jq -r '.FULL_PRODUCT_NAME')
-          PRODUCT_NAME=$(echo $BUILD_SETTINGS | jq -r '.PRODUCT_NAME')
-          echo "SCHEME=$SCHEME" >> "$GITHUB_ENV"
-          echo "FULL_PRODUCT_NAME=$FULL_PRODUCT_NAME" >> "$GITHUB_ENV"
-          echo "PRODUCT_NAME=$PRODUCT_NAME" >> "$GITHUB_ENV"
-
-      - name: Install the Apple certificate
-        env:
-          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
-          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
-          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
-        run: |
-          # create variables
-          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
-          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+      # - name: Config environment
+      #   run: |
+      #     SCHEME=$(xcodebuild -list -json | jq -r '.project.schemes[0]')
+
+      #     BUILD_SETTINGS=$(xcodebuild -scheme "$SCHEME" -showBuildSettings -json | jq -r '.[0].buildSettings')
+      #     FULL_PRODUCT_NAME=$(echo $BUILD_SETTINGS | jq -r '.FULL_PRODUCT_NAME')
+      #     PRODUCT_NAME=$(echo $BUILD_SETTINGS | jq -r '.PRODUCT_NAME')
+      #     echo "SCHEME=$SCHEME" >> "$GITHUB_ENV"
+      #     echo "FULL_PRODUCT_NAME=$FULL_PRODUCT_NAME" >> "$GITHUB_ENV"
+      #     echo "PRODUCT_NAME=$PRODUCT_NAME" >> "$GITHUB_ENV"
+
+      # - name: Install the Apple certificate
+      #   env:
+      #     BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+      #     P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+      #     KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+      #   run: |
+      #     # create variables
+      #     CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+      #     KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
 
-          # import certificate from secrets
-          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+      #     # import certificate from secrets
+      #     echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
 
-          # create temporary keychain
-          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
-          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
-          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+      #     # create temporary keychain
+      #     security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+      #     security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+      #     security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
 
-          # import certificate to keychain
-          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
-          security list-keychain -d user -s $KEYCHAIN_PATH
+      #     # import certificate to keychain
+      #     security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+      #     security list-keychain -d user -s $KEYCHAIN_PATH
 
-      - name: Build
-        run: xcodebuild -scheme "$SCHEME" install DSTROOT=Build | xcpretty
+      # - name: Build
+      #   run: xcodebuild -scheme "$SCHEME" install DSTROOT=Build | xcpretty
 
-      - name: Package
+      # - name: Package
+      #   run: |
+      #     npm install -g create-dmg
+      #     mkdir -p Build/dmg
+      #     create-dmg "Build/Applications/$FULL_PRODUCT_NAME" Build/dmg
+      #     mv Build/dmg/*.dmg Build/$PRODUCT_NAME.dmg
+      #     rm -r Build/dmg
+
+      # - name: Archive production artifacts
+      #   uses: actions/upload-artifact@v3
+      #   with:
+      #     name: ${{ env.PRODUCT_NAME }}.dmg
+      #     path: Build/${{ env.PRODUCT_NAME }}.dmg
+
+      - name: Prepare for release
+        if: startsWith(github.ref, 'refs/tags/')
         run: |
-          npm install -g create-dmg
-          mkdir -p Build/dmg
-          create-dmg "Build/Applications/$FULL_PRODUCT_NAME" Build/dmg
-          mv Build/dmg/*.dmg Build/$PRODUCT_NAME.dmg
-          rm -r Build/dmg
-
-      - name: Archive production artifacts
-        uses: actions/upload-artifact@v3
+          set -e
+          VERSION=$(cat package.json | jq -r .version)
+          DMG_NAME="Build/DotLocal-v$VERSION.dmg"
+          CHANGELOG_PATH="$RUNNER_TEMP/CHANGELOG.md"
+
+          ./scripts/changelog $VERSION > $CHANGELOG_PATH
+          cp Build/DotLocal.dmg $DMG_NAME
+
+          echo "VERSION=$VERSION" >> "$GITHUB_ENV"
+          echo "DMG_NAME=$DMG_NAME" >> "$GITHUB_ENV"
+          echo "CHANGELOG_PATH=$CHANGELOG_PATH" >> "$GITHUB_ENV"
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
         with:
-          name: ${{ env.PRODUCT_NAME }}.dmg
-          path: Build/${{ env.PRODUCT_NAME }}.dmg
+          files: ${{ env.DMG_NAME }}
diff --git a/Build/DotLocal.dmg b/Build/DotLocal.dmg
new file mode 100644
index 0000000..5c3118d
--- /dev/null
+++ b/Build/DotLocal.dmg
@@ -0,0 +1 @@
+dummy file
diff --git a/scripts/changelog b/scripts/changelog
new file mode 100755
index 0000000..24ec1fb
--- /dev/null
+++ b/scripts/changelog
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -e
+
+VERSION=$1
+if [ -z "$VERSION" ]; then
+  echo "usage: $0 <version>"
+  exit 1
+fi
+
+# read CHANGELOG.md line by line
+# if line starts with ## $VERSION, print all lines until next ##
+
+STATE='find_version'
+
+while read -r line; do
+  if [[ $STATE == 'find_version' ]]; then
+    if [[ $line == "## $VERSION"* ]]; then
+      echo $line
+      STATE='print_until_next_version'
+    elif [[ $line == "# "* ]]; then
+      echo $line
+      echo ''
+    fi
+  elif [[ $STATE == 'print_until_next_version' ]]; then
+    if [[ $line == "## "* ]]; then
+      break
+    else
+      echo $line
+    fi
+  fi
+done < CHANGELOG.md
+
+if [[ $STATE == 'find_version' ]]; then
+  echo "Could not find beginning of version $VERSION"
+  exit 1
+fi