diff --git a/.github/actions/build_tf_provider/action.yml b/.github/actions/build_tf_provider/action.yml
new file mode 100644
index 0000000000..9352a797c3
--- /dev/null
+++ b/.github/actions/build_tf_provider/action.yml
@@ -0,0 +1,43 @@
+name: Build Terraform provider
+description: |
+  Builds Terraform provider binaries cross platform.
+inputs:
+  targetOS:
+    description: "Build for this OS. [linux, darwin, windows]"
+    required: true
+    default: "linux"
+  targetArch:
+    description: "Build for this architecture. [amd64, arm64]"
+    required: true
+    default: "amd64"
+  outputPath:
+    description: "Output path of the binary"
+    required: false
+runs:
+  using: "composite"
+  steps:
+    # https://github.blog/2022-04-12-git-security-vulnerability-announced/
+    - name: Mark repository safe
+      shell: bash
+      run: |
+        git config --global --add safe.directory /__w/constellation/constellation
+
+    - name: Build Binaries
+      shell: bash
+      env:
+        TARGET_GOOS: ${{ inputs.targetOS }}
+        TARGET_GOARCH: ${{ inputs.targetArch }}
+        OUTPUT_PATH: ${{ inputs.outputPath || format('./build/terraform-provider-constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}${{ inputs.targetOS == 'windows' && '.exe' || '' }}
+      run: |
+        echo "::group::Build Terraform provider"
+        mkdir -p "$(dirname "${OUTPUT_PATH}")"
+        label="//terraform-provider-constellation:tf_provider_${TARGET_GOOS}_${TARGET_GOARCH}"
+        bazel build "${label}"
+        repository_root=$(git rev-parse --show-toplevel)
+        out_rel=$(bazel cquery --output=files "${label}")
+        out_loc="$(realpath "${repository_root}/${out_rel}")"
+        cp "${out_loc}" "${OUTPUT_PATH}"
+        chmod +w "${OUTPUT_PATH}"
+        export PATH="$PATH:$(realpath $(dirname "${OUTPUT_PATH}"))"
+        echo "$(realpath $(dirname "${OUTPUT_PATH}"))" >> $GITHUB_PATH
+        echo "::endgroup::"
diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
index 15f5cf245f..949f36dd4d 100644
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@@ -52,3 +52,6 @@ jobs:
             "${disk_mapper}" \
             "${measurement_reader}" \
             "${cli}"
+
+      - name: Build Terraform Provider Binary
+        uses: ./.github/actions/build_tf_provider
diff --git a/.github/workflows/release-tf-provider.yml b/.github/workflows/release-tf-provider.yml
new file mode 100644
index 0000000000..09f66a3c62
--- /dev/null
+++ b/.github/workflows/release-tf-provider.yml
@@ -0,0 +1,70 @@
+name: Build Terraform provider and prepare release
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        type: string
+        description: "Git ref to checkout"
+        required: false
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        description: "Git ref to checkout"
+        required: true
+
+jobs:
+  build-tf-provider:
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            os: linux
+
+          - arch: amd64
+            os: darwin
+
+          - arch: amd64
+            os: windows
+
+          - arch: arm64
+            os: linux
+
+          - arch: arm64
+            os: darwin
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          ref: ${{ inputs.ref || github.head_ref }}
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          useCache: "false"
+
+      - name: Build Terraform Provider Binary
+        uses: ./.github/actions/build_tf_provider
+        with:
+          targetOS: ${{ matrix.os }}
+          targetArch: ${{ matrix.arch }}
+
+      - name: Upload Terraform Provider Binary as artifact (unix)
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if : ${{ matrix.os != 'windows' }}
+        with:
+          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
+          path: |
+            build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
+
+      - name: Upload Terraform Provider Binary as artifact (windows)
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if : ${{ matrix.os == 'windows' }}
+        with:
+          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
+          path: |
+            build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
diff --git a/terraform-provider-constellation/BUILD.bazel b/terraform-provider-constellation/BUILD.bazel
index 04717e8c42..f6a6bfc144 100644
--- a/terraform-provider-constellation/BUILD.bazel
+++ b/terraform-provider-constellation/BUILD.bazel
@@ -1,5 +1,5 @@
 load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_cross_binary", "go_library")
 
 # keep
 go_binary(
@@ -10,6 +10,22 @@ go_binary(
     visibility = ["//visibility:public"],
 )
 
+[
+    go_cross_binary(
+        name = "tf_provider_%s" % platform,
+        platform = "@io_bazel_rules_go//go/toolchain:" + platform,
+        target = ":tf_provider",
+        visibility = ["//visibility:public"],
+    )
+    for platform in [
+        "darwin_amd64",
+        "darwin_arm64",
+        "linux_amd64",
+        "linux_arm64",
+        "windows_amd64",
+    ]
+]
+
 go_library(
     name = "terraform-provider-constellation_lib",
     srcs = ["main.go"],