diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index 924b85a..b3cc8cb 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Java
-        uses: actions/setup-java@3b2a55ebf035c8ede26704717ad4efd65e9edee3 # v5.1.0
+        uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
           distribution: temurin
           java-version: "11"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 93cd871..20583b0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Java
-        uses: actions/setup-java@3b2a55ebf035c8ede26704717ad4efd65e9edee3 # v5.1.0
+        uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
           distribution: temurin
           java-version: "11"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..2a25181
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,64 @@
+# Publish release artifacts to Maven Central when a GitHub Release is created.
+# See DEPLOY.md for required repository secrets and release process.
+name: publish
+
+on:
+  release:
+    types: [created]
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout release tag
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.release.tag_name }}
+
+      - name: Setup Java and Maven Central credentials
+        uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
+        with:
+          distribution: temurin
+          java-version: "11"
+          cache: maven
+          server-id: central
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_CENTRAL_TOKEN
+          gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+
+      - name: Set project version from release tag
+        run: |
+          VERSION="${TAG_NAME#v}"
+          if [ -z "$VERSION" ]; then
+            echo "Release tag must be vX.Y.Z (for example v1.2.0)" >&2
+            exit 1
+          fi
+          mvn -B org.apache.maven.plugins:maven-versions-plugin:2.17.1:set \
+            -DnewVersion="$VERSION" \
+            -DgenerateBackupPoms=false
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
+
+      - name: Verify formatting
+        run: mvn -B spotless:check
+
+      - name: Test
+        run: mvn -B test
+
+      - name: Publish to Maven Central
+        run: mvn -B clean deploy -Dgpg.keyname="${GPG_KEY_ID}"
+        env:
+          MAVEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+          MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ secrets.MAVEN_GPG_KEY_ID }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3b804c6..1dbdc52 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Java
-        uses: actions/setup-java@3b2a55ebf035c8ede26704717ad4efd65e9edee3 # v5.1.0
+        uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
           distribution: temurin
           java-version: "11"
diff --git a/DEPLOY.md b/DEPLOY.md
index d0f35c6..e6f8ab1 100644
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -2,27 +2,35 @@
 
 Canonical repository: [coinbase/core-java](https://github.com/coinbase/core-java).
 
-Version **1.1.x** on [coinbase-samples/core-java](https://github.com/coinbase-samples/core-java) was the last samples-line release (git-only for 1.1.2). Publish **1.2.0+** from this repository.
+This project publishes through the [Sonatype Central Portal](https://central.sonatype.org/publish/publish-portal-maven/) (`central-publishing-maven-plugin` with server id `central`).
 
 ## Prerequisites
 
 - JDK 11+
 - Maven 3.8+
 - GPG key configured (`gpg.keyname` in Maven settings or `pom.xml` properties)
-- Sonatype Central credentials (`central` server id in `~/.m2/settings.xml`)
+- Sonatype Central user token ([generate in the portal](https://central.sonatype.com/account); use server id `central` in `~/.m2/settings.xml`)
 
-## Publish to Maven Central
+## Publish with GitHub Actions
 
-From a clean tree on the release tag:
+Creating a [GitHub Release](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release) runs [`.github/workflows/publish.yml`](.github/workflows/publish.yml). The workflow checks out the release tag, aligns `pom.xml` version with the tag (for example `v1.2.0` → `1.2.0`), runs Spotless and tests, then runs `mvn clean deploy`.
 
-```bash
-git checkout v1.2.0
-mvn clean deploy
-```
+### Repository secrets
 
-Tag releases on `coinbase/core-java` after a successful publish:
+Configure these under **Settings → Secrets and variables → Actions**:
+
+| Secret | Description |
+|--------|-------------|
+| `MAVEN_CENTRAL_USERNAME` | Sonatype Central token username |
+| `MAVEN_CENTRAL_TOKEN` | Sonatype Central token password |
+| `MAVEN_GPG_PRIVATE_KEY` | ASCII-armored GPG secret key (`gpg --armor --export-secret-keys KEY_ID`) |
+| `MAVEN_GPG_PASSPHRASE` | Passphrase for that key |
+| `MAVEN_GPG_KEY_ID` | GPG key id used by `maven-gpg-plugin` (`gpg.keyname`) |
+
+### Release checklist
+
+1. Bump `<version>` on `main` (or rely on the workflow to set it from the tag).
+2. Create and push an annotated tag: `git tag v1.2.0 && git push origin v1.2.0`
+3. Create a GitHub Release for that tag (event type **created** triggers publish).
+4. Confirm the workflow succeeded and the artifact appears on [Maven Central](https://central.sonatype.com/artifact/com.coinbase.core/coinbase-core-java).
 
-```bash
-git tag v1.2.0
-git push pub v1.2.0
-```
diff --git a/README.md b/README.md
index 3399159..ac94101 100644
--- a/README.md
+++ b/README.md
@@ -84,7 +84,7 @@ mvn javadoc:javadoc
 
 Published API docs: [javadoc.io — coinbase-core-java](https://javadoc.io/doc/com.coinbase.core/coinbase-core-java).
 
-Publishing to Maven Central (maintainers, requires GPG and credentials): see [DEPLOY.md](DEPLOY.md) or run `mvn clean deploy`.
+Publishing to Maven Central (maintainers): create a GitHub Release (see [DEPLOY.md](DEPLOY.md)) or run `mvn clean deploy` locally.
 
 ## 🚨 Security and Bug Reports