diff --git a/.github/workflows/tagged_image.yaml b/.github/workflows/tagged_image.yaml
new file mode 100644
index 000000000..67dc3f65c
--- /dev/null
+++ b/.github/workflows/tagged_image.yaml
@@ -0,0 +1,39 @@
+---
+name: Create SemVer-tagged OCI image
+on:
+  push:
+    tags:
+      - '*'
+
+permissions: read-all
+
+jobs:
+  publish-image:
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: write
+      id-token: write
+    steps:
+
+      - name: Checkout
+        uses: >- # v4.1.1
+          actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Install Nix
+        uses: >- # v7
+          DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Test image
+        run: |
+          nix run .#local-image-test
+
+      - name: Upload image
+        run: |
+          nix run .#publish-ghcr ${{github.ref_name}}
+        env:
+          GHCR_REGISTRY: ghcr.io
+          GHCR_USERNAME: ${{ github.actor }}
+          GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          GHCR_IMAGE_NAME: ${{ github.repository }}
diff --git a/tools/publish-ghcr.nix b/tools/publish-ghcr.nix
index 53e3682a9..f8d1b9257 100644
--- a/tools/publish-ghcr.nix
+++ b/tools/publish-ghcr.nix
@@ -13,7 +13,9 @@ pkgs.writeShellScriptBin "publish-ghcr" ''
   # nothing would still lead to a new hash. Instead we use the
   # derivation hash as the tag so that the tag is reused if the image
   # didn't change.
-  IMAGE_TAG=$(nix eval .#image.imageTag --raw)
+  #
+  # If a positional argument is passed it overrides the tag value.
+  IMAGE_TAG=''${1:-$(nix eval .#image.imageTag --raw)}
 
   TAGGED_IMAGE=''${GHCR_REGISTRY}/''${GHCR_IMAGE_NAME,,}:''${IMAGE_TAG}