diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..0dee3de
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,35 @@
+name: Publish to Maven Central
+
+permissions:
+  contents: read
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
+
+      - name: Run tests
+        run: ./gradlew test
+
+      - name: Publish to Maven Central
+        run: ./gradlew publish
+        env:
+          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+          SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+          SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
diff --git a/.gitignore b/.gitignore
index 06eef8f..8bc87d7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,3 +34,10 @@ out/
 # Compiled files
 /bin/
 /target/
+
+# Sensitive files - NEVER commit these
+*.gpg
+*.asc
+secring.*
+gradle.properties.local
+local.properties
diff --git a/build.gradle b/build.gradle
index 19cd5ac..ea1f65d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -87,17 +87,24 @@ publishing {
     }
     repositories {
         maven {
-            name = 'ossrh-staging-api'
+            name = 'central'
             url = uri("https://ossrh-staging-api.central.sonatype.com/service/local/staging/deploy/maven2/")
             credentials {
-                username = USERNAME
-                password = PASSWORD
+                username = System.getenv('SONATYPE_USERNAME') ?: ''
+                password = System.getenv('SONATYPE_PASSWORD') ?: ''
             }
         }
     }
 }
 
 signing {
+    def signingKeyId = System.getenv('SIGNING_KEY_ID')
+    def signingKey = System.getenv('GPG_PRIVATE_KEY')
+    def signingPassword = System.getenv('SIGNING_PASSWORD')
+
+    if (signingKey) {
+        useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword)
+    }
     sign publishing.publications.mavenJava
 }
 
diff --git a/gradle.properties b/gradle.properties
index 8d5c263..36b8e68 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -18,10 +18,4 @@ POM_ARTIFACT_ID=resend-java
 POM_PACKAGING=jar
 POM_ORGANIZATION_URL=https://resend.com
 
-VENDOR_NAME=Resend. (https://resend.com)
-USERNAME=${System.env.USERNAME}
-PASSWORD=${System.env.PASSWORD}
-
-signing.keyId=${System.env.signing.keyId}
-signing.password=${System.env.signing.password}
-signing.secretKeyRingFile=${System.env.signing.secretKeyRingFile}
\ No newline at end of file
+VENDOR_NAME=Resend. (https://resend.com)
\ No newline at end of file