diff --git a/.gitea/workflows/publish-public-rules.yml b/.gitea/workflows/publish-public-rules.yml
new file mode 100644
index 000000000..635ae5e5d
--- /dev/null
+++ b/.gitea/workflows/publish-public-rules.yml
@@ -0,0 +1,86 @@
+name: Publish Rules To Public Repo
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate required settings
+        shell: bash
+        env:
+          PUBLIC_REPO: ${{ vars.PUBLIC_REPO }}
+          PUBLIC_BRANCH: ${{ vars.PUBLIC_BRANCH }}
+          PUBLIC_TOKEN: ${{ secrets.PUBLIC_REPO_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ -z "${PUBLIC_REPO:-}" ]; then
+            echo "Missing vars.PUBLIC_REPO (format: owner/repo)" >&2
+            exit 1
+          fi
+          if [ -z "${PUBLIC_TOKEN:-}" ]; then
+            echo "Missing secrets.PUBLIC_REPO_TOKEN" >&2
+            exit 1
+          fi
+          if [ -z "${PUBLIC_BRANCH:-}" ]; then
+            echo "PUBLIC_BRANCH not set, default to main"
+          fi
+
+      - name: Checkout private source repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          github-server-url: https://git.halonice.com
+
+      - name: Checkout public target repo
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ vars.PUBLIC_REPO }}
+          ref: ${{ vars.PUBLIC_BRANCH || 'main' }}
+          token: ${{ secrets.PUBLIC_REPO_TOKEN }}
+          path: public-repo
+          fetch-depth: 0
+          github-server-url: https://git.halonice.com
+
+      - name: Sync dist files
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p public-repo/dist
+          rsync -a --delete dist/ public-repo/dist/
+          cat > public-repo/README.md <<TXT
+          # shunt-rules-public
+
+          该仓库存放由私有仓库自动发布的分流规则。
+
+          更新时间（UTC）：$(date -u '+%Y-%m-%d %H:%M:%S')
+
+          目录：
+
+          - dist/surge
+          - dist/loon
+          - dist/clash
+          - dist/mihomo
+          TXT
+
+      - name: Commit and push public repo
+        shell: bash
+        run: |
+          set -euo pipefail
+          cd public-repo
+          git config user.name "gitea-actions[bot]"
+          git config user.email "gitea-actions@localhost"
+          git add -A
+          if git diff --cached --quiet; then
+            echo "No public repo changes"
+            exit 0
+          fi
+          git commit -m "chore: publish latest shunt rules"
+          git push origin "HEAD:${{ vars.PUBLIC_BRANCH || 'main' }}"
diff --git a/README.md b/README.md
index 3a4efd6ce..b5c32b10c 100644
--- a/README.md
+++ b/README.md
@@ -125,3 +125,15 @@ python3 src/rulegen.py --config configs/config.json --names Apple,YouTube
 可选变量：
 
 - `vars.UPSTREAM_REF`（默认 `master`）
+
+## 私有仓库发布到公开仓库
+
+当本仓库是私有时，外部无法直接访问规则文件。可启用以下工作流，将 `dist/` 自动同步到公开仓库：
+
+- `.gitea/workflows/publish-public-rules.yml`
+
+需要在仓库设置中配置：
+
+- `vars.PUBLIC_REPO`：公开仓库，格式 `owner/repo`
+- `vars.PUBLIC_BRANCH`：公开仓库分支（可选，默认 `main`）
+- `secrets.PUBLIC_REPO_TOKEN`：可写入公开仓库的 token