diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml
new file mode 100644
index 000000000..7195f3358
--- /dev/null
+++ b/.github/workflows/maven-release.yaml
@@ -0,0 +1,83 @@
+# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created
+## For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path
+
+name: Maven Manual Deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Git tag to release"
+        required: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      SONATYPE_USER: ${{secrets.BUF_SONATYPE_USER}}
+      SONATYPE_PASSWORD: ${{secrets.BUF_SONATYPE_PASSWORD}}
+      GPG_KEY_NAME: ${{secrets.GPG_KEY_NAME}}
+      GPG_PASSPHRASE: ${{secrets.GPG_PASSPHRASE}}
+      MAVEN_OPTS: "--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED"
+      REF_NAME: ${{ inputs.tag }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{inputs.tag}}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 'stable'
+      - name: Set VERSION variable from tag
+        run: |
+          VERSION=${{ env.REF_NAME }}
+          echo "VERSION=${VERSION:1}" >> $GITHUB_ENV
+
+      - name: 'Configure GPG signing'
+        env:
+          GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          # https://github.com/keybase/keybase-issues/issues/2798
+          export GPG_TTY=$(tty)
+          # Import gpg keys and warm the passphrase to avoid the gpg
+          # passphrase prompt when initating a deploy
+          # `--pinentry-mode=loopback` could be needed to ensure we
+          # suppress the gpg prompt
+          echo $GPG_KEY | base64 --decode > signing-key
+          gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
+          shred signing-key
+
+      - name: Configure GIT
+        run: |
+          git config --global user.email "envoy-bot@users.noreply.github.com"
+          git config --global user.name "envoy-bot"
+
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+          cache: 'maven'
+          server-id: sonatype-nexus-snapshots
+          server-username: ${ env.SONATYPE_USER }
+          server-password: ${ env.SONATYPE_PASSWORD }
+          gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
+          gpg-passphrase: ${ env.GPG_PASSPHRASE }
+
+      - name: Update version in pom
+        working-directory: ${{ github.workspace }}/java
+        run: mvn -B versions:set -DnewVersion=${{ env.VERSION }} -DgenerateBackupPoms=false
+
+      - name: Publish to Maven Packages Apache Maven
+        working-directory: ${{ github.workspace }}/java
+        run: |
+          mvn -B -s settings.xml --debug clean deploy \
+          -Darguments="-s settings.xml" \
+          -DreleaseVersion=${{ env.VERSION }} \
+          -DdevelopmentVersion=${{ env.VERSION }}-SNAPSHOT \
+          -DscmCommentPrefix="java release: "
+        env:
+          MAVEN_USERNAME: ${{ env.SONATYPE_USER }}
+          MAVEN_CENTRAL_TOKEN: ${{ env.SONATYPE_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}