diff --git a/.github/workflows/build-on-tag.yml b/.github/workflows/build-on-tag.yml
new file mode 100644
index 0000000..a199e87
--- /dev/null
+++ b/.github/workflows/build-on-tag.yml
@@ -0,0 +1,28 @@
+name: Build and Release (Tag)
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Docker build
+        run: docker build --platform linux/amd64 --tag si-moko .
+
+      - name: Docker run
+        run: docker run --platform linux/amd64 --env "PUBLIC_KEY_HEX=${{ secrets.PUBLIC_KEY_HEX }}" --name firmware-container si-moko
+
+      - name: Copy firmware from container
+        run: docker cp firmware-container:/spaceinvader/dist/firmware.bin ${{ github.workspace }}/firmware.bin
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: ${{ github.workspace }}/firmware.bin
+          tag_name: ${{ github.ref_name }}
diff --git a/.gitignore b/.gitignore
index 7ad05b1..aef1ca4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -55,4 +55,6 @@ apps/firmware/build/_build/
 .DS_Store
 apps/firmware/dfu_images/private.key
 # apps/firmware/dfu_images/public_key.c
-_build/
\ No newline at end of file
+_build/
+
+.idea/
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 451e89f..6cdec00 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM debian:bookworm-slim as build-env
 
 # Install OS packages
 RUN apt-get update
-RUN apt-get install -y git build-essential wget
+RUN apt-get install -y git build-essential wget srecord
 
 # https://github.com/micropython/micropython/issues/8685
 RUN wget --no-verbose "https://developer.arm.com/-/media/Files/downloads/gnu/11.3.rel1/binrel/arm-gnu-toolchain-11.3.rel1-x86_64-arm-none-eabi.tar.xz?rev=95edb5e17b9d43f28c74ce824f9c6f10&hash=D5ACE3A6F75F603551D7702E00ED7B29" -O /tmp/arm-gnu-toolchain.tar.xz
diff --git a/build.sh b/build.sh
index cb36497..027b60a 100755
--- a/build.sh
+++ b/build.sh
@@ -42,8 +42,22 @@ mergehex --merge bl_settings.hex secure_bootloader_moko.hex nrf52810_xxaa.hex s1
 # debug
 ls -alh firmware.hex
 
-# Convert the HEX file to a BIN file
-arm-none-eabi-objcopy --input-target=ihex --output-target=binary firmware.hex $WORKSPACE/dist/firmware.bin
+# Produce the DFU release artifact: the APPLICATION-ONLY binary.
+#
+# The backend's DFU pipeline (blu-transmogrifier) patches a per-device key into
+# this binary and packages it as a buttonless *application* DFU, so it expects
+# ONLY the application image (the same ~50 KB shape as the legacy
+# nrf52810_xxaa.bin) -- NOT the merged MBR+SoftDevice+bootloader+app image.
+#
+# nrf52810_xxaa.hex is the app-only build output (linked above the SoftDevice).
+# objcopy -O binary writes it starting at the app's first byte, so the file
+# begins with the application vector table. The app hex has no UICR/FICR record,
+# so the old 256 MB blow-up cannot happen here -- no crop/fill needed.
+arm-none-eabi-objcopy -I ihex -O binary nrf52810_xxaa.hex $WORKSPACE/dist/firmware.bin
+
+# Keep the full merged image (MBR + SoftDevice + bootloader + settings + app)
+# for first-time factory provisioning over SWD. Not used by the DFU pipeline.
+cp firmware.hex $WORKSPACE/dist/firmware.hex
 
 # debug
-ls -alh $WORKSPACE/dist/firmware.bin
+ls -alh $WORKSPACE/dist/firmware.bin $WORKSPACE/dist/firmware.hex