diff --git a/.github/scripts/update-formula.sh b/.github/scripts/update-formula.sh
new file mode 100755
index 0000000..7c5d9ce
--- /dev/null
+++ b/.github/scripts/update-formula.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# https://github.com/LEGO/amma-cli/blob/46e3fd94e7bf57820376a08b2edb21abdd636ffb/.github/scripts/update-formula.sh
+set -euxo pipefail
+temp_dir="$(mktemp -d)"
+trap "{ rm -rf ""$temp_dir""; }" EXIT
+
+pushd "$temp_dir"
+gh release download --repo LEGO/assume-aws-sso-role --pattern 'assume-aws-sso-role'
+checksum="$(sha256sum assume-aws-sso-role | awk '{ print $1 }')"
+popd
+
+latest_version=$(gh release view --json name --jq '.name[1:]')
+latest_release="$(gh api repos/LEGO/assume-aws-sso-role/releases/latest --jq '[.assets[] | select(.name | startswith("assume-aws-sso-role"))] | map({(.name): .url}) | add')"
+url="$(jq --raw-output '."assume-aws-sso-role"' <<<"$latest_release")"
+
+sed -i.old \
+  -e "s|version \".*\"|version \"$latest_version\"|" \
+  -e "s|url \".*\"|url \"$url\"|" \
+  -e "s|sha256 \".*\"|sha256 \"$checksum\"|" \
+  assume-aws-sso-role.rb
+rm assume-aws-sso-role.rb.old
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..e61c6bf
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,49 @@
+name: CI
+
+on: push
+
+jobs:
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@master
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs:
+      - shellcheck
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - uses: actions/checkout@v3
+      - uses: softprops/action-gh-release@v1
+        with:
+          files: ./assume-aws-sso-role
+
+  formula:
+    name: Update homebrew formula
+    runs-on: ubuntu-latest
+    needs:
+      - release
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - uses: actions/checkout@v3
+      - name: Update homebrew formula
+        run: |
+          # Update formula to latest release
+          ./.github/scripts/update-formula.sh
+
+          # Configure git
+          git config --global user.name assume-aws-sso-role
+          git config --global user.email assume-aws-sso-role@LEGO.com
+          git remote set-url origin "https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}"
+
+          # Commit and push changes
+          git add assume-aws-sso-role.rb
+          git commit --message "Update homebrew formula"
+          git push origin HEAD:main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/assume-aws-sso-role b/assume-aws-sso-role
index a6bad00..6f4e8fd 100755
--- a/assume-aws-sso-role
+++ b/assume-aws-sso-role
@@ -141,12 +141,12 @@ browser_url() {
 }
 
 open_in_browser() {
-    if [ "${platform}" = Darwin ]; then
-      open "$(browser_url "$1")"
-    else
-      echo >&2 "Unsupported platform"
-      return 1
-    fi
+  if [ "${platform}" = Darwin ]; then
+    open "$(browser_url "$1")"
+  else
+    echo >&2 "Unsupported platform"
+    return 1
+  fi
 }
 
 load_credentials_from_file() {
@@ -356,7 +356,7 @@ if ! aws_credentials=$(env -u AWS_PROFILE aws sts assume-role-with-saml --durati
   echo >&2 "Acquire AWS token failed"
   ${exit_cmd} 3
 fi
-aws_token=$(echo ${aws_credentials} | jq ".Version = 1")
+aws_token=$(echo "${aws_credentials}" | jq ".Version = 1")
 echo_maybe "aws_token is ${aws_token}"
 
 expiration=$(echo "${aws_token}" | jq -r ".Expiration")