diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
new file mode 100644
index 00000000..a77dca89
--- /dev/null
+++ b/.github/workflows/nightly.yaml
@@ -0,0 +1,66 @@
+name: Nightly Release
+
+on:
+  workflow_dispatch:  # Manual trigger
+  schedule:
+  - cron: '0 5 * * *' # 5 AM UTC = Midnight EST
+
+jobs:
+  nightly:
+    if: ${{ github.repository == 'shipwright-io/triggers' }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # To be able to get OIDC ID token to sign images.
+      contents: write  # To be able to update releases.
+      packages: write  # To be able to push images and signatures.
+
+    env:
+      IMAGE_HOST: ghcr.io
+      IMAGE_NAMESPACE: ${{ github.repository }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.19.x'
+        check-latest: true
+
+    # Install tools
+    - uses: ko-build/setup-ko@v0.6
+      with:
+        version: v0.13.0
+    - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
+    - uses: sigstore/cosign-installer@v3
+
+    - name: Get current date
+      id: date
+      run: echo "date=$(date +'%Y-%m-%d-%s')" >> $GITHUB_OUTPUT
+
+    - name: Generate and upload release YAMLs
+      env:
+        REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        REGISTRY_USERNAME: ${{ github.repository_owner }}
+        TAG: "nightly-${{ steps.date.outputs.date }}"
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        make release
+
+        mv release.yaml nightly-${{ steps.date.outputs.date }}.yaml
+        mv release-debug.yaml nightly-${{ steps.date.outputs.date }}-debug.yaml
+#        gh release upload nightly nightly-${{ steps.date.outputs.date }}.yaml
+#        gh release upload nightly nightly-${{ steps.date.outputs.date }}-debug.yaml
+
+    - name: Update latest tag of supporting images
+      run: |
+        crane copy "${IMAGE_HOST}/${IMAGE_NAMESPACE}/triggers:nightly-${{ steps.date.outputs.date }}" "${IMAGE_HOST}/${IMAGE_NAMESPACE}/triggers:latest"
+
+    - name: Sign released images
+      run: |
+        for f in \
+          nightly-${{ steps.date.outputs.date }}.yaml \
+          nightly-${{ steps.date.outputs.date }}-debug.yaml; do
+          grep -o "ghcr.io[^\"]*" $f | xargs cosign sign --yes \
+              -a sha=${{ github.sha }} \
+              -a run_id=${{ github.run_id }} \
+              -a run_attempt=${{ github.run_attempt }}
+        done
diff --git a/Makefile b/Makefile
index e8bcca57..434ec5b7 100644
--- a/Makefile
+++ b/Makefile
@@ -74,8 +74,9 @@ $(CONTROLLER_GEN):
 .PHONY: manifests
 manifests: controller-gen
 	$(CONTROLLER_GEN) \
-		rbac:roleName=shipwright-trigger crd paths="./..." \
-		output:dir=$(MANIFEST_DIR)
+		rbac:roleName=shipwright-triggers  webhook paths="./..." \
+		output:dir=deploy/
+	mv deploy/role.yaml deploy/200-role.yaml
 
 # runs the manager from your host
 .PHONY: run
@@ -99,6 +100,9 @@ deploy:
 		$(CHART_DIR) | \
 			ko apply $(KO_OPTS) $(ARGS) --filename -
 
+release: manifests
+	hack/release.sh
+
 # runs the unit tests, with optional arguments
 .PHONY: test-unit
 test-unit: CGO_ENABLED=1
diff --git a/deploy/100-namespace.yaml b/deploy/100-namespace.yaml
new file mode 100644
index 00000000..ef951f6e
--- /dev/null
+++ b/deploy/100-namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: shipwright-build
diff --git a/chart/generated/role.yaml b/deploy/200-role.yaml
similarity index 96%
rename from chart/generated/role.yaml
rename to deploy/200-role.yaml
index 8d7d7c2c..15bb7589 100644
--- a/chart/generated/role.yaml
+++ b/deploy/200-role.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
-  name: shipwright-trigger
+  name: shipwright-triggers
 rules:
 - apiGroups:
   - shipwright.io
diff --git a/deploy/300-rolebinding.yaml b/deploy/300-rolebinding.yaml
new file mode 100644
index 00000000..aad63765
--- /dev/null
+++ b/deploy/300-rolebinding.yaml
@@ -0,0 +1,28 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: shipwright-triggers
+subjects:
+- kind: ServiceAccount
+  name: shipwright-triggers
+  namespace: shipwright-build
+roleRef:
+  kind: ClusterRole
+  name: shipwright-triggers
+  apiGroup: rbac.authorization.k8s.io
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: shipwright-triggers
+  namespace: shipwright-build
+subjects:
+- kind: ServiceAccount
+  name: shipwright-triggers
+  namespace: shipwright-build
+roleRef:
+  kind: Role
+  name: shipwright-triggers
+  apiGroup: rbac.authorization.k8s.io
diff --git a/deploy/400-serviceaccount.yaml b/deploy/400-serviceaccount.yaml
new file mode 100644
index 00000000..636a8d55
--- /dev/null
+++ b/deploy/400-serviceaccount.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: shipwright-triggers
+  namespace: shipwright-build
diff --git a/deploy/500-controller.yaml b/deploy/500-controller.yaml
new file mode 100644
index 00000000..d7320d2b
--- /dev/null
+++ b/deploy/500-controller.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: shipwright-triggers
+  namespace: shipwright-build
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: shipwright-triggers
+  template:
+    metadata:
+      labels:
+        name: shipwright-triggers
+    spec:
+      serviceAccountName: shipwright-triggers
+      containers:
+        - name: shipwright-trigger
+          image: ko://github.com/shipwright-io/triggers
+          env:
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: BUILD_CONTROLLER_LEADER_ELECTION_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: CONTROLLER_NAME
+              value: "shipwright-build"
+            - name: GIT_ENABLE_REWRITE_RULE
+              value: "false"
+          ports:
+            - containerPort: 8080
+              name: metrics-port
+          livenessProbe:
+            httpGet:
+              path: /metrics
+              port: metrics-port
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /metrics
+              port: metrics-port
+            initialDelaySeconds: 5
+            periodSeconds: 10
diff --git a/hack/release.sh b/hack/release.sh
new file mode 100755
index 00000000..6b5abf80
--- /dev/null
+++ b/hack/release.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Copyright The Shipwright Contributors
+# 
+# SPDX-License-Identifier: Apache-2.0
+
+set -euo pipefail
+
+GO_FLAGS=${GO_FLAGS:-""}
+
+echo "Logging into container registry $IMAGE_HOST"
+echo "$REGISTRY_PASSWORD" | ko login -u "$REGISTRY_USERNAME" --password-stdin "$IMAGE_HOST"
+
+echo "Building container image"
+
+echo "Adding io.shipwright.vcs-ref label with value: ${GITHUB_SHA}"
+
+KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS}" ko resolve \
+  --base-import-paths \
+  --tags "${TAG}" \
+  --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \
+  --platform=all  -R -f deploy/ > release.yaml
+
+KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS} -tags=pprof_enabled" ko resolve \
+  --base-import-paths \
+  --tags "${TAG}-debug" \
+  --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \
+  --platform=all  -R -f deploy/ > release-debug.yaml