diff --git a/.azure-pipelines/publish-docker.yml b/.azure-pipelines/publish-docker.yml
new file mode 100644
index 0000000000000..b8940ca8e64ed
--- /dev/null
+++ b/.azure-pipelines/publish-docker.yml
@@ -0,0 +1,91 @@
+# Publishes Playwright Docker images to playwright.azurecr.io on stable release tags.
+# Azure DevOps port of .github/workflows/publish_release_docker.yml.
+#
+# Trigger: any `v*` tag push (e.g. v1.40.0). Pre-release tags (v1.40.0-beta, -next,
+# -alpha) are excluded — publish_docker.sh also hard-errors on non-stable versions.
+# Can also be queued manually from the ADO UI (the workflow_dispatch equivalent).
+trigger:
+  tags:
+    include:
+      - v*
+    exclude:
+      - v*-*
+
+pr: none
+
+resources:
+  repositories:
+  - repository: 1esPipelines
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
+  parameters:
+    pool:
+      name: DevDivPlaywrightAzurePipelinesUbuntu2204
+      os: linux
+    sdl:
+      sourceAnalysisPool:
+        name: DevDivPlaywrightAzurePipelinesWindows2022
+        # The image must be windows-based due to restrictions of the SDL tools. See: https://aka.ms/AAo6v8e
+        os: windows
+    stages:
+    - stage: Publish
+      jobs:
+      - job: PublishDocker
+        displayName: "Publish Docker images to ACR"
+        # arm64 images are cross-built under QEMU emulation, which is slow.
+        timeoutInMinutes: 360
+        steps:
+        - checkout: self
+          fetchDepth: 0
+          displayName: "Checkout code"
+
+        - task: UseNode@1
+          inputs:
+            version: '22.x'
+          displayName: "Install Node.js"
+
+        # Relocate the Docker data-root to the large /mnt volume: this job builds
+        # 6 images (jammy/noble/resolute x amd64/arm64) and `docker system prune`s
+        # between them, so the default disk fills up.
+        - task: Bash@3
+          displayName: "Setup docker"
+          inputs:
+            targetType: "inline"
+            script: |
+              set -x
+              sudo service docker stop
+              sudo mkdir -p /etc/docker
+              echo '{ "data-root": "/mnt/docker" }' | sudo tee /etc/docker/daemon.json
+              sudo service docker start
+
+        # Register QEMU/binfmt handlers so `docker build --platform linux/arm64`
+        # works on the amd64 host. Equivalent to docker/setup-qemu-action@v4.
+        - task: Bash@3
+          displayName: "Set up QEMU for arm64 builds"
+          inputs:
+            targetType: "inline"
+            script: docker run --privileged --rm tonistiigi/binfmt --install arm64
+
+        - script: npm ci
+          displayName: "npm ci"
+
+        - script: npm run build
+          displayName: "npm run build"
+
+        - task: AzureCLI@2
+          displayName: "Login to ACR via OIDC"
+          inputs:
+            azureSubscription: "Playwright-CDN"
+            scriptType: "bash"
+            scriptLocation: "inlineScript"
+            inlineScript: "az acr login --name playwright"
+
+        - task: Bash@3
+          displayName: "Build & publish Docker images"
+          inputs:
+            targetType: "inline"
+            script: "./utils/docker/publish_docker.sh stable"