diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 000000000..371814f83
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,55 @@
+# Workflow for deploying Sorald
+#
+# Note that actions are specified by commit hash. This is to avoid the security
+# risk of someone injecting malicious code into a release and then simply
+# changing a tag.
+
+name: deploy
+
+on:
+  push:
+    branches: [ master ]
+
+env:
+  JAVA_DISTRIBUTION: 'adopt'
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    environment: Deploy
+
+    steps:
+      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+
+      - name: Setup for Java build
+        uses: actions/setup-java@8764a52df183aa0ccea74521dfd9d506ffc7a19a # v2.0.0
+        with:
+          java-version: 11
+          java-package: jdk
+          architecture: x64
+          distribution: ${{ env.JAVA_DISTRIBUTION }}
+
+      - name: Build
+        run: mvn -B package
+
+      - name: Setup Java for deploy
+        uses: actions/setup-java@8764a52df183aa0ccea74521dfd9d506ffc7a19a # v2.0.0
+        with: # running setup-java again overwrites the settings.xml
+          java-version: 11
+          java-package: jdk
+          architecture: x64
+          distribution: ${{ env.JAVA_DISTRIBUTION }}
+
+          server-id: ossrh
+          server-username: OSSRH_USERNAME
+          server-password: OSSRH_CENTRAL_TOKEN
+          gpg-private-key: ${{ secrets.SORALD_SIGNING_KEY }}
+          gpg-passphrase: SORALD_GPG_PASSPHRASE
+
+      - name: Publish to Maven Central
+        run: mvn -Prelease deploy
+        env:
+          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+          OSSRH_CENTRAL_TOKEN: ${{ secrets.OSSRH_PASSWORD }}
+          SORALD_GPG_PASSPHRASE: ${{ secrets.SORALD_SIGNING_KEY_PASSPHRASE }}
\ No newline at end of file