diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml
new file mode 100644
index 000000000..0179b3d93
--- /dev/null
+++ b/.github/workflows/release-test.yml
@@ -0,0 +1,31 @@
+name: Release tests
+
+# Trigger oqs-provider release tests.
+# Runs whenever a release is published, or when a commit message ends with "[trigger downstream]"
+# When triggered by a release, the liboqs release tag and the provider "<release tag>-tracker" branch are used.
+# When triggered by a commit message, the triggering liboqs branch and the provider "<liboqs branch>-tracker" branch are used.
+# If the tracker branch does not exist, the downstream pipeline should detect it and run on the main branch instead.
+on:
+  push:
+  release:
+    types: [published]
+
+jobs:
+  oqs-provider-release-test:
+    if: github.event_name == 'release' || endsWith( github.event.head_commit.message, '[trigger downstream]' )
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout release tests script
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            scripts/provider-test-trigger.sh
+          sparse-checkout-cone-mode: false
+      - name: Trigger oqs-provider release tests
+        run: |
+          CURL_FLAGS="--silent --write-out \n%{response_code}\n" \
+          ACCESS_TOKEN="${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \
+          LIBOQS_REF="${{ github.ref_name }}" \
+          PROVIDER_REF="${{ github.ref_name }}-tracker" \
+          ./scripts/provider-test-trigger.sh | tee curl_out \
+          && grep -q "204" curl_out
diff --git a/scripts/provider-test-trigger.sh b/scripts/provider-test-trigger.sh
new file mode 100755
index 000000000..5fd4807e4
--- /dev/null
+++ b/scripts/provider-test-trigger.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# SPDX-License-Identifier: MIT
+
+# Trigger the oqs-provider release tests in CI.
+
+# Variables:
+# ACCESS_TOKEN: a GitHub Personal Access Token with repo and workflow permissions. Required.
+# LIBOQS_REF: the liboqs branch or tag on which to run. Defaults to "main" if not specified.
+# PROVIDER_REF: the oqs-provider branch or tag on which to run. Defaults to "main" if not specified.
+# CURL_FLAGS: additional flags (e.g., "--silent") to pass to the curl command
+
+if [ -z $ACCESS_TOKEN ]; then
+    echo "This script requires a GitHub Personal Access Token with repo and workflow permissions."
+    exit 1
+fi
+
+# default to running on liboqs main / provider main
+if [ -z $LIBOQS_REF ]; then
+    export LIBOQS_REF="main"
+fi
+if [ -z $PROVIDER_REF ]; then
+    export PROVIDER_REF="main"
+fi
+
+curl $CURL_FLAGS \
+    --request POST \
+    --header "Accept: application/vnd.github+json" \
+    --header "Authorization: Bearer $ACCESS_TOKEN" \
+    --header "X-GitHub-Api-Version: 2022-11-28" \
+    --data "{
+              \"event_type\": \"liboqs-release\",
+              \"client_payload\": {
+                                  \"liboqs_ref\": \"$LIBOQS_REF\",
+                                  \"provider_ref\": \"$PROVIDER_REF\"
+              }
+            }" \
+    https://api.github.com/repos/open-quantum-safe/oqs-provider/dispatches