diff --git a/.github/workflows/central-publish.yaml b/.github/workflows/central-publish.yaml
new file mode 100644
index 0000000..d9a79f1
--- /dev/null
+++ b/.github/workflows/central-publish.yaml
@@ -0,0 +1,42 @@
+name: Build and Publish to Sonatype
+
+on:
+  push:
+    branches:
+      - main
+  pull_request: # test to be removed before merge
+
+env:
+  SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+  SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Gradle
+        uses: gradle/wrapper-validation-action@v1
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: "17"
+          distribution: "oracle"
+
+      - name: Import GPG key
+        run: |
+          echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import
+
+      - name: Configure GPG passphrase
+        run: |
+          echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback --sign-key ${{ secrets.GPG_KEY_ID }}
+
+      - name: Publish to Sonatype
+        run: ./gradlew publish --no-daemon
+
+      - name: Clean up GPG keys
+        run: gpg --batch --yes --delete-secret-keys ${{ secrets.GPG_KEY_ID }}