diff --git a/.github/workflows/publish-bucky-jar.yml b/.github/workflows/publish-bucky-jar.yml
index d1f0449..6dbd4f5 100644
--- a/.github/workflows/publish-bucky-jar.yml
+++ b/.github/workflows/publish-bucky-jar.yml
@@ -1,6 +1,9 @@
 # SPDX-License-Identifier: Apache-2.0
 name: Release Workflow
 on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+-?*"
   # Manual trigger — version is read from version.txt on the checked-out branch
   workflow_dispatch:
     inputs:
@@ -9,6 +12,11 @@ on:
         type: boolean
         required: false
         default: true
+      ref:
+        description: "Git ref to check out (branch, tag, or commit SHA)"
+        type: string
+        required: false
+        default: ""
 
 defaults:
   run:
@@ -16,7 +24,7 @@ defaults:
 
 permissions:
   id-token: write
-  contents: read
+  contents: write
   packages: write
 
 env:
@@ -43,6 +51,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          ref: ${{ github.event.inputs.ref || github.ref }}
 
       - name: Install GnuPG Tools
         if: "${{ github.event_name != 'workflow_dispatch' || github.event.inputs.dry-run-enabled == 'false' }}"
@@ -79,7 +88,19 @@ jobs:
       - name: Publish jar to Maven Central
         if: "${{ github.event_name != 'workflow_dispatch' || github.event.inputs.dry-run-enabled == 'false' }}"
         env:
-          NEXUS_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
-          NEXUS_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+          NEXUS_USERNAME: ${{ secrets.CENTRAL_PUBLISHING_USERNAME }}
+          NEXUS_PASSWORD: ${{ secrets.CENTRAL_PUBLISHING_PASSWORD }}
         # Gradle reads version.txt; a -SNAPSHOT version publishes to Maven Central Snapshots, otherwise to Maven Central
-        run: ./gradlew publishAggregationToCentralPortal -PpublishSigningEnabled=true
+        run: ./gradlew publishAggregationToCentralPortal -PpublishSigningEnabled=true --no-configuration-cache --no-parallel
+
+      - name: Create GitHub Release
+        if: "${{ github.event_name == 'push' }}"
+        uses: step-security/release-action@03a57407052f15d1537fd5469a6fbbc536aba326 # v1.20.0
+        with:
+          allowUpdates: true
+          draft: false
+          generateReleaseNotes: true
+          name: ${{ github.ref_name }}
+          prerelease: ${{ contains(github.ref_name, '-') }}
+          tag: ${{ github.ref_name }}
+          token: ${{ github.token }}
diff --git a/.github/workflows/release-automation.yml b/.github/workflows/release-automation.yml
index c253b20..d952d96 100644
--- a/.github/workflows/release-automation.yml
+++ b/.github/workflows/release-automation.yml
@@ -125,19 +125,6 @@ jobs:
           commit_user_email: ${{ steps.gpg_importer.outputs.email }}
           tagging_message: ${{ env.RELEASE_TAG }}
 
-      - name: Create Github Release
-        uses: step-security/release-action@03a57407052f15d1537fd5469a6fbbc536aba326 # v1.20.0
-        with:
-          allowUpdates: true
-          commit: ${{ env.RELEASE_BRANCH }}
-          draft: true
-          generateReleaseNotes: false
-          name: ${{ env.RELEASE_TAG }}
-          omitBody: ${{ steps.milestone.outputs.milestone_id == '' }}
-          prerelease: ${{ steps.version_parser.outputs.prerelease != '' }}
-          tag: ${{ env.RELEASE_TAG }}
-          token: ${{ secrets.GH_ACCESS_TOKEN }}
-
   create_pr:
     timeout-minutes: 10
     name: Create PR