diff --git a/.github/workflows/upload_rpms.yaml b/.github/workflows/upload_rpms.yaml
new file mode 100644
index 000000000..e50fd41d3
--- /dev/null
+++ b/.github/workflows/upload_rpms.yaml
@@ -0,0 +1,45 @@
+name: Build and upload HTCondor-CE RPMs
+on:
+  release:
+    # there seems to be contention between 'published' vs 'created' here
+    # 'published' occurs with a GitHub release
+    types: [published]
+
+jobs:
+  build-rpms-and-upload:
+    runs-on: ubuntu-latest
+    if: startsWith(github.repository, 'htcondor/')
+    strategy:
+      matrix:
+        dver: [7, 8]
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Prepare Docker
+        run: |
+          echo 'DOCKER_OPTS="-H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock -s devicemapper"' | sudo tee /etc/default/docker > /dev/null &&
+            sudo service docker restart
+
+      - name: Start CentOS ${{ matrix.dver}} image
+        run: |
+          docker run --detach --env "container=docker" \
+                 --name $GITHUB_SHA \
+                 --volume `pwd`:/htcondor-ce:rw \
+                 centos:centos${{ matrix.dver }} \
+                 /usr/sbin/init
+
+      - name: Build CHTC EL${{ matrix.dver }} RPMs
+        run: |
+          docker exec $GITHUB_SHA \
+                 /bin/bash -xc \
+                   "/htcondor-ce/tests/build_rpms.sh \
+                     ${{ matrix.dver }} \
+                     uw_build"
+
+      - name: Upload CHTC EL${{ matrix.dver }} RPMs
+        run: |
+          ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null
+          ssh-add - <<< "${{ secrets.CI_XFER_KEY }}"
+          tests/sftp_upload.sh
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
diff --git a/config/condor_mapfile b/config/condor_mapfile
index cede8bc92..d956e73e4 100644
--- a/config/condor_mapfile
+++ b/config/condor_mapfile
@@ -1,5 +1,5 @@
 # HTCondor-CE Certificate Mapfile
-# http://research.cs.wisc.edu/htcondor/manual/v8.6/3_8Security.html#SECTION00484000000000000000
+# https://htcondor.readthedocs.io/en/v8_9_11/admin-manual/security.html#the-unified-map-file-for-authentication
 # Using GSI authentication for certificates requires the issuer CAs to be
 # installed in /etc/grid-security/certificates. If you would also like to
 # authenticate VOMS attributes, *.lsc files should be installed in
diff --git a/tests/build_rpms.sh b/tests/build_rpms.sh
index b4a997103..ccd618941 100755
--- a/tests/build_rpms.sh
+++ b/tests/build_rpms.sh
@@ -86,6 +86,6 @@ rpmbuild --define '_topdir /tmp/rpmbuild' --undefine 'dist' -bs /tmp/rpmbuild/SP
 rpmbuild --define '_topdir /tmp/rpmbuild' -bb /tmp/rpmbuild/SPECS/htcondor-ce.spec
 
 # dir needs to be inside htcondor-ce so it's visible outside the container
-mkdir -p htcondor-ce/travis_deploy
-cp -f /tmp/rpmbuild/RPMS/*/*.rpm htcondor-ce/travis_deploy/
-cp -f /tmp/rpmbuild/SRPMS/*.rpm htcondor-ce/travis_deploy/
+mkdir -p htcondor-ce/ci_deploy
+cp -f /tmp/rpmbuild/RPMS/*/*.rpm htcondor-ce/ci_deploy/
+cp -f /tmp/rpmbuild/SRPMS/*.rpm htcondor-ce/ci_deploy/
diff --git a/tests/sftp_upload.sh b/tests/sftp_upload.sh
index a41435b07..be86df033 100755
--- a/tests/sftp_upload.sh
+++ b/tests/sftp_upload.sh
@@ -14,15 +14,9 @@ if [[ -r $progdir/env.sh ]]; then
     set $_old_x
 fi
 
-if [[ $TRAVIS_PULL_REQUEST != false ]]; then
-    echo "Not running deploy on a PR"
-    exit 0
-fi
-
-project=${TRAVIS_REPO_SLUG#*/}
-repo_owner=${TRAVIS_REPO_SLUG%/*}
+project=${GITHUB_REPOSITORY#*/}
+repo_owner=${GITHUB_REPOSITORY%/*}
 
-keyfile=$progdir/id_rsa_cibot2
 upload_server=ci-xfer.chtc.wisc.edu
 # from "ssh-keyscan -t rsa ci-xfer.chtc.wisc.edu"
 hostsig="ci-xfer.chtc.wisc.edu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyrceRMLPsOmdtDHxXpfI82snDF0Q9/Z1Mick5zsQK1RyOtNgkyvXM50AJSPPSl0I9JmIxSBxhqcNDcbDz0Kc8tKcA1iGQxp4Ll9z9ZCl60AUq72WwkS1A4z11JjRoYvw1CL8bvoJhk55dcgAz+bXWx/eTwcBsmW80/okNDkdYmtv+QgfUmRP6TjMtIkzvCsXi5x+B4j66yQcLDDYb36EcGyHZqoyLuxkxX0OwS7LuzDfnKxpsV9jlnu3PuJnZOizalqKUpTYc2b83XnfsIYTqoiclmFr89+WuQJG6e/596y/9aVtNacCphdS7u3D+tSoME6OG7xQtZiQfkWvKPicv"
@@ -30,29 +24,16 @@ hostsig="ci-xfer.chtc.wisc.edu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyrceRMLPsO
 
 
 function setup_ssh_to_chtc {
-    if [[ ! -e $keyfile.enc.$repo_owner ]]; then
-        echo "Repo owner $repo_owner does not have a key in the repo." >&2
-        echo "Cannot deploy via ssh." >&2
-        return 1
-    fi
     (
         umask 077
         mkdir -p ~/.ssh
-        openssl aes-256-cbc \
-            -K $encrypted_e14a22ad945b_key \
-            -iv $encrypted_e14a22ad945b_iv \
-            -in $keyfile.enc.$repo_owner -out $keyfile \
-            -d
         cat > ~/.ssh/config <<__END__
 Host $upload_server
 User cibot
-IdentityFile $keyfile
 PubkeyAuthentication yes
-PasswordAuthentication no
+PasswordAuthentication yes
 GSSAPIAuthentication no
 ChallengeResponseAuthentication no
-KerberosAuthentication no
-IdentitiesOnly yes
 __END__
         printf "%s\n" "$hostsig" > ~/.ssh/known_hosts
     )
@@ -60,19 +41,19 @@ __END__
 
 function sftp_to_chtc {
     local ret=0
-    local remote_dir=/var/tmp/travis/$repo_owner/$project
-    if [[ -n ${TRAVIS_TAG-} ]]; then
+    local remote_dir=/var/tmp/ci_deploy/$repo_owner/$project
+    if [[ $GITHUB_REF =~ ^refs/tags/ ]]; then
         # .../htcondor-ce-v2.3.4
-        remote_dir=${remote_dir}-$(tr / _ <<<"$TRAVIS_TAG")
+        remote_dir=${remote_dir}-$(tr / _ <<<"${GITHUB_REF##refs/tags/}")
     else
         # .../htcondor-ce-88
-        remote_dir=${remote_dir}-${TRAVIS_BUILD_NUMBER}
+        remote_dir=${remote_dir}-${GITHUB_RUN_ID}
     fi
     set +x
     script=$(mktemp -t build_rpms.$$.XXXXXX)
     cat >>"$script" <<__END__
--MKDIR /var/tmp/travis
--MKDIR /var/tmp/travis/$repo_owner
+-MKDIR /var/tmp/ci_deploy
+-MKDIR /var/tmp/ci_deploy/$repo_owner
 -MKDIR $remote_dir
 CD $remote_dir
 __END__
@@ -91,7 +72,7 @@ __END__
 
 
 setup_ssh_to_chtc
-sftp_to_chtc "$progdir"/../travis_deploy/*
+sftp_to_chtc "$progdir"/../ci_deploy/*
 
 
 # vim:et:sw=4:sts=4:ts=8