diff --git a/.github/actions/jdk-setup/action.yml b/.github/actions/jdk-setup/action.yml
index 90a8bdd..e81775f 100644
--- a/.github/actions/jdk-setup/action.yml
+++ b/.github/actions/jdk-setup/action.yml
@@ -1,11 +1,46 @@
 name: "JDK Setup"
 description: "Set up Temurin JDK 21 with Maven dependency caching"
+inputs:
+  server-id:
+    description: "Maven settings.xml server id for Maven Central authentication."
+    required: false
+    default: ''
+  server-username:
+    description: "Environment variable name for the Maven Central username."
+    required: false
+    default: ''
+  server-password:
+    description: "Environment variable name for the Maven Central password."
+    required: false
+    default: ''
+  gpg-private-key:
+    description: "GPG private key to import for artifact signing."
+    required: false
+    default: ''
+  gpg-passphrase:
+    description: "Environment variable name for the GPG passphrase."
+    required: false
+    default: ''
 runs:
   using: "composite"
   steps:
     - name: Set up JDK 21
+      if: ${{ inputs.server-id == '' }}
       uses: actions/setup-java@v5
       with:
         java-version: '21'
         distribution: 'temurin'
         cache: maven
+
+    - name: Set up JDK 21 with Maven Central credentials
+      if: ${{ inputs.server-id != '' }}
+      uses: actions/setup-java@v5
+      with:
+        java-version: '21'
+        distribution: 'temurin'
+        cache: maven
+        server-id: ${{ inputs.server-id }}
+        server-username: ${{ inputs.server-username }}
+        server-password: ${{ inputs.server-password }}
+        gpg-private-key: ${{ inputs.gpg-private-key }}
+        gpg-passphrase: ${{ inputs.gpg-passphrase }}
diff --git a/.github/workflows/deploy-snapshot.yml b/.github/workflows/deploy-snapshot.yml
index b9fa935..e838470 100644
--- a/.github/workflows/deploy-snapshot.yml
+++ b/.github/workflows/deploy-snapshot.yml
@@ -17,6 +17,8 @@ jobs:
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v7
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-java@v5
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..25a04bb
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,41 @@
+name: Release to Maven Central
+
+on:
+  push:
+    tags: ['v*'] # created by maven-release-plugin (tagNameFormat v@{project.version})
+
+permissions:
+  contents: read
+
+concurrency:
+  group: release-deploy
+  cancel-in-progress: false
+
+env:
+  MAVEN_COMMAND: ./mvnw
+  MAVEN_CLI_COMMON: "-e -B -N"
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment: release
+    steps:
+      - uses: actions/checkout@v7
+        with:
+          persist-credentials: false
+
+      - uses: ./.github/actions/jdk-setup
+        with:
+          server-id: central-publish
+          server-username: CENTRAL_USERNAME
+          server-password: CENTRAL_TOKEN
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+
+      - name: Deploy release to Maven Central
+        env:
+          CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
+          CENTRAL_TOKEN: ${{ secrets.CENTRAL_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: ${{ env.MAVEN_COMMAND }} ${{ env.MAVEN_CLI_COMMON }} deploy -Prelease -DskipTests