diff --git a/.forgejo/workflows/publish.yml b/.forgejo/workflows/publish.yml
new file mode 100644
index 0000000..9ce552d
--- /dev/null
+++ b/.forgejo/workflows/publish.yml
@@ -0,0 +1,81 @@
+# Publish workflow for @lilith monorepo packages (and subs).
+# Uses the on-demand horizontally scaled ct-forge runners on DO.
+# For sub packages, the logic reads _ flags from each package.json; or use path filters.
+# This is a starting point; extend with matrix for multiple packages if needed.
+
+name: Build and Publish (lilith packages)
+
+on:
+  push:
+    branches: [main, master]
+    paths:
+      - '@lilith/**'
+      - 'redroid-client/**'
+      - '.forgejo/workflows/publish.yml'
+  workflow_dispatch:
+
+env:
+  NODE_VERSION: '22'
+  PNPM_VERSION: '9'
+
+jobs:
+  build-and-publish:
+    runs-on: [self-hosted, linux, do, ct-forge, publish]
+    strategy:
+      matrix:
+        package: ["lix-build", "lix-configs", "mcp-common", "redroid-mcp", "ui-fab", "ui-icons", "ui-zname", "redroid-client"]
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Setup pnpm (for TS packages)
+        run: |
+          npm install -g pnpm@${{ env.PNPM_VERSION }} || true
+          echo "Node: $(node --version)"
+          echo "pnpm: $(pnpm --version)"
+
+      - name: Configure for ct-forge registries (verdaccio for npm, pypiserver for py)
+        run: |
+          # npm
+          echo "@lilith:registry=https://npm.ct.uvlava.com/" > .npmrc || true
+          echo "//npm.ct.uvlava.com/:_authToken=${{ secrets.NPM_TOKEN || '' }}" >> .npmrc || true
+          # py example (for redroid-client)
+          echo "[pypi]" > ~/.pypirc || true
+          echo "repository = https://pypi.ct.uvlava.com/" >> ~/.pypirc || true
+          echo "username = __token__" >> ~/.pypirc || true
+          echo "password = ${{ secrets.PYPI_TOKEN || '' }}" >> ~/.pypirc || true
+
+      - name: Build/publish selected package
+        run: |
+          PKG_DIR="${{ matrix.package }}"
+          if [ -f "$PKG_DIR/package.json" ]; then
+            cd "$PKG_DIR"
+            # similar transform and logic as template
+            node -e '
+              const fs = require("fs");
+              const pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));
+              if (pkg.dependencies) {
+                for (const k in pkg.dependencies) {
+                  if (String(pkg.dependencies[k]).startsWith("workspace:") || String(pkg.dependencies[k]).startsWith("file:")) pkg.dependencies[k] = "*";
+                }
+              }
+              fs.writeFileSync("package.json", JSON.stringify(pkg, null, 2));
+            ' || true
+            pnpm install --no-frozen-lockfile --prefer-offline || npm install || true
+            if [ "$(node -p 'require("./package.json")._.publish || false')" = "true" ]; then
+              npm publish --access public --no-git-checks --registry https://npm.ct.uvlava.com/ || true
+            fi
+          elif [ -f "$PKG_DIR/pyproject.toml" ]; then
+            cd "$PKG_DIR"
+            pip install build twine || true
+            python -m build || true
+            twine upload --repository-url https://pypi.ct.uvlava.com/ dist/* || true
+          fi
+
+      # Swift packages would use similar with swift build and git tag or forgejo swift registry push.