diff --git a/.github/NOTES b/.github/NOTES
index 7b0565b..64253c9 100644
--- a/.github/NOTES
+++ b/.github/NOTES
@@ -2,6 +2,12 @@ Add subkeys:
 
 ????
 
+Publish:
+
+gpg --send-keys --keyserver keyserver.ubuntu.com $KEYID
+gpg --send-keys --keyserver pgp.mit.edu $KEYID
+gpg --send-keys --keyserver pool.sks-keyservers.net $KEYID
+
 Backup:
 
 gpg --export --armor pcampbell@kemitix.net > gpg-key-backup.asc
@@ -43,3 +49,5 @@ gpg --export-secret-keys --armor pcampbell@kemitix.net >> codesigning.asc
 Encrypt keys:
 
 gpg --symmetric --cipher-algo AES256 codesigning.asc
+
+shred codesigning.asc
diff --git a/.github/codesigning.asc.gpg b/.github/codesigning.asc.gpg
index 6327d43..f5c71e0 100644
Binary files a/.github/codesigning.asc.gpg and b/.github/codesigning.asc.gpg differ
diff --git a/.github/deploy.sh b/.github/deploy.sh
deleted file mode 100644
index 5504f4e..0000000
--- a/.github/deploy.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/env bash
-
-# Decrypts the signing key in .github/codesigning.asc.enc
-# Imports that key
-# Uses .github/settings.xml and the release profile to deploy
-
-echo "deploy.sh: Starting..."
-
-(
-    cd .github
-
-    echo "Retrieving GPG Private KEY"
-    gpg --quiet \
-        --batch \
-        --yes \
-        --decrypt \
-        --passphrase="${GPG_PASSPHRASE}" \
-        --output codesigning.asc \
-        codesigning.asc.gpg
-
-    echo "Loading signing key"
-    gpg --batch \
-        --fast-import codesigning.asc
-)
-
-if test -z ${DEPLOY_PROJECTS}
-then
-    PROJECTS=""
-    echo "Deploying Projects: all"
-else
-    PROJECTS="-pl ${DEPLOY_PROJECTS}"
-    echo "Deploying Projects: $DEPLOY_PROJECTS"
-fi
-
-echo "Releasing..."
-mvn ${PROJECTS} \
-    --settings .github/settings.xml \
-    -Dskip-Tests=true \
-    -P release \
-    -B \
-    deploy
-
-echo "deploy.sh: Done."
diff --git a/.github/stale.yaml b/.github/stale.yaml
new file mode 100644
index 0000000..dc90e5a
--- /dev/null
+++ b/.github/stale.yaml
@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false
diff --git a/.github/workflows/maven-build.yml b/.github/workflows/build-maven.yml
similarity index 83%
rename from .github/workflows/maven-build.yml
rename to .github/workflows/build-maven.yml
index 289b4e8..71d3bb3 100644
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/build-maven.yml
@@ -14,9 +14,9 @@ jobs:
         java: [ 11, 15 ]
     steps:
       - uses: kamiazya/setup-graphviz@v1
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v2.3.4
       - name: setup-jdk-${{ matrix.java }}
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v1.4.3
         with:
           java-version: ${{ matrix.java }}
       - name: build-jar
diff --git a/.github/workflows/deploy-sonatype.yml b/.github/workflows/deploy-sonatype.yml
new file mode 100644
index 0000000..fc71e07
--- /dev/null
+++ b/.github/workflows/deploy-sonatype.yml
@@ -0,0 +1,40 @@
+name: sonatype-deploy
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: kamiazya/setup-graphviz@v1
+      - uses: actions/checkout@v2.3.4
+      - name: Set up JDK
+        uses: actions/setup-java@v1.4.3
+        with:
+          java-version: 11
+      - name: Build with Maven
+        run: mvn -B install
+      - name: Nexus Repo Publish
+        run: |
+          gpg --quiet \
+            --batch \
+            --yes \
+            --decrypt \
+            --passphrase="${{ secrets.GPG_PASSPHRASE }}" \
+            --output codesigning.asc \
+            .github/codesigning.asc.gpg
+          gpg --batch \
+            --fast-import codesigning.asc
+          mvn --settings .github/settings.xml \
+            -Dskip-Tests=true \
+            -P release \
+            -B \
+            deploy
+        env:
+          NEXUS_USERNAME: kemitix
+          NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
+          GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.github/workflows/sonatype-deploy.yml b/.github/workflows/sonatype-deploy.yml
deleted file mode 100644
index 7ffe5d6..0000000
--- a/.github/workflows/sonatype-deploy.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: sonatype-deploy
-
-on:
-  release:
-    types: [created]
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up JDK 11
-      uses: actions/setup-java@v1
-      with:
-        java-version: 11
-    - name: Build with Maven
-      run: mvn -B package
-    - name: Nexus Repo Publish
-      run: sh .github/deploy.sh
-      env:
-        NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
-        NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
-        GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }}
-        GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}