diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9a8675a013..86436823f2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -243,3 +243,89 @@ jobs:
             env:
                 GITHUB_TOKEN: ${{ secrets.AUTOMATION_GITHUB_TOKEN }}
                 GRADLE_OPTS: '-Dorg.gradle.daemon=false'
+
+  # --------------------------------------------------
+  # job: release
+  # --------------------------------------------------
+  release:
+    name: Release
+    if: ${{ contains(needs.build.outputs.commit_message,'[release]') }}
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+        contents: write
+    timeout-minutes: 10
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: 'temurin'
+          architecture: x64
+
+      - name: Setup AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-1
+          aws-access-key-id: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
+
+      - name: Login to Docker hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_ID }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Login to Seqera registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.SEQERA_PUBLIC_CR_URL }}
+          username: ${{ secrets.SEQERA_PUBLIC_CR_USER }}
+          password: ${{ secrets.SEQERA_PUBLIC_CR_PASSWORD }}
+
+      # release step
+      - name: Release
+        run: bash release/main.sh
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
+          GH_ORG: ${{ vars.PLUGINS_GITHUB_ORG }}
+          GH_USER: ${{ vars.DEPLOY_GITHUB_USER }}
+          GH_USER_EMAIL: ${{ vars.DEPLOY_GITHUB_EMAIL }}
+          GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
+          MAVEN_PUBLISH_URL: ${{ vars.MAVEN_PLUGINS_PUBLISH_URL }}
+          PLUGINS_INDEX_JSON: ${{ vars.PLUGINS_INDEX_JSON }}
+          S3_RELEASE_BUCKET: ${{ vars.S3_RELEASE_BUCKET }}
+          SEQERA_CONTAINER_REGISTRY: ${{ vars.SEQERA_PUBLIC_CR_URL }}
+
+      # upload steps
+      - name: Upload artifacts (libs)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          name: libs
+          path: modules/*/build/libs/
+
+      - name: Upload artifacts (distribution)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          name: distribution
+          path: build/releases/
+
+      - name: Upload artifacts (plugins)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          compression-level: 0
+          name: plugins
+          path: |
+            plugins/build/libs/
+            plugins/*/build/libs/
diff --git a/Makefile b/Makefile
index 4a12211e00..040877a530 100644
--- a/Makefile
+++ b/Makefile
@@ -86,10 +86,10 @@ smoke:
 	NXF_SMOKE=1 ./gradlew ${mm}test
 
 #
-# Upload JAR artifacts to Maven Central
+# Generate all the jars required to create a release
 #
-upload:
-	./gradlew upload
+distribution:
+	BUILD_PACK=1 ./gradlew buildInfo compile assemble pack javadocJar sourcesJar testFixturesJar
 
 #
 # Create self-contained distribution package
@@ -98,38 +98,14 @@ pack:
 	BUILD_PACK=1 ./gradlew pack
 
 #
-# Upload NF launcher to nextflow.io web site
-#
-deploy:
-	BUILD_PACK=1 ./gradlew deploy
-
-#
-# Close artifacts uploaded to Maven central
-#
-close:
-	./gradlew closeAndReleaseRepository
-
-#
-# Upload final package to GitHub
+# Initiate the nextflow release process
 #
+.PHONY: release
 release:
-	BUILD_PACK=1 ./gradlew release
-
-#
-# Create and upload docker image distribution
-#
-dockerImage:
-	BUILD_PACK=1 ./gradlew dockerImage
+	./make-release.sh
 
 #
 # Create local docker image
 #
 dockerPack:
 	BUILD_PACK=1 ./gradlew publishToMavenLocal dockerPack -Dmaven.repo.local=${PWD}/build/docker/.nextflow/capsule/deps/
-
-
-upload-plugins:
-	./gradlew plugins:upload
-
-publish-index:
-	./gradlew plugins:publishIndex
diff --git a/build.gradle b/build.gradle
index 4b4ee6e1f2..bfd98929fe 100644
--- a/build.gradle
+++ b/build.gradle
@@ -15,7 +15,6 @@
  */
 
 plugins {
-    id "io.codearte.nexus-staging" version "0.30.0"
     id 'java'
     id 'idea'
 }
@@ -274,29 +273,21 @@ task exportClasspath {
     }
 }
 
-ext.nexusUsername = project.findProperty('nexusUsername')
-ext.nexusPassword = project.findProperty('nexusPassword')
-ext.nexusFullName = project.findProperty('nexusFullName')
-ext.nexusEmail = project.findProperty('nexusEmail')
-
 // `signing.keyId` property needs to be defined in the `gradle.properties` file
 ext.enableSignArchives = project.findProperty('signing.keyId')
 
 ext.coreProjects = projects( ':nextflow', ':nf-commons', ':nf-httpfs' )
 
-configure(coreProjects) {
-    group = 'io.nextflow'
-    version = rootProject.file('VERSION').text.trim()
-}
-
 /*
- * Maven central deployment
- * http://central.sonatype.org/pages/gradle.html
+ * Maven deployment
  */
 configure(coreProjects) {
     apply plugin: 'maven-publish'
     apply plugin: 'signing'
 
+    group = 'io.nextflow'
+    version = rootProject.file('VERSION').text.trim()
+
     task javadocJar(type: Jar) {
         archiveClassifier = 'javadoc'
         from configurations.groovyDoc
@@ -333,9 +324,8 @@ configure(coreProjects) {
                     }
                     developers {
                         developer {
-                            id = nexusUsername
-                            name = nexusFullName
-                            email = nexusEmail
+                            name = 'Paolo Di Tommaso'
+                            email = 'paolo.ditommaso@gmail.com'
                         }
                     }
                     scm {
@@ -352,13 +342,12 @@ configure(coreProjects) {
 
         repositories {
             maven {
-                // change URLs to point to your repos, e.g. http://my.org/repo
-                def releasesRepoUrl = "https://oss.sonatype.org/service/local/staging/deploy/maven2/"
-                def snapshotsRepoUrl = "https://oss.sonatype.org/content/repositories/snapshots/"
-                url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl
-                credentials(PasswordCredentials) {
-                    username nexusUsername
-                    password nexusPassword
+                url = findProperty('maven_publish_url') ?: System.getenv('MAVEN_PUBLISH_URL')
+                url = version.endsWith('-SNAPSHOT') ? "$url/snapshots" : "$url/releases"
+
+                credentials(AwsCredentials) {
+                    accessKey = findProperty('aws_access_key_id') ?: System.getenv('AWS_ACCESS_KEY_ID')
+                    secretKey = findProperty('aws_secret_access_key') ?: System.getenv('AWS_SECRET_ACCESS_KEY')
                 }
             }
         }
@@ -368,14 +357,10 @@ configure(coreProjects) {
         required { enableSignArchives }
         sign publishing.publications.mavenJava
     }
-
 }
 
-
-String bytesToHex(byte[] bytes) {
-    StringBuffer result = new StringBuffer();
-    for (byte byt : bytes) result.append(Integer.toString((byt & 0xff) + 0x100, 16).substring(1));
-    return result.toString();
+task publishToMaven {
+    dependsOn coreProjects.publish
 }
 
 task makeDigest { doLast {
@@ -383,34 +368,15 @@ task makeDigest { doLast {
     String  str = file('nextflow').text
     // create sha1
     digest = java.security.MessageDigest.getInstance("SHA1").digest(str.getBytes())
-    file('nextflow.sha1').text = new BigInteger(1, digest).toString(16) + '\n'
+    file('nextflow.sha1').text = digest.encodeHex().toString() + '\n'
     // create sha-256
     digest = java.security.MessageDigest.getInstance("SHA-256").digest(str.getBytes())
-    file('nextflow.sha256').text = bytesToHex(digest) + '\n'
+    file('nextflow.sha256').text = digest.encodeHex().toString() + '\n'
     // create md5
     digest = java.security.MessageDigest.getInstance("MD5").digest(str.getBytes())
-    file('nextflow.md5').text = bytesToHex(digest) + '\n'
+    file('nextflow.md5').text = digest.encodeHex().toString() + '\n'
 }}
 
-
-task upload {
-    dependsOn compile
-    dependsOn makeDigest
-    dependsOn coreProjects.publish
-}
-
-/*
- * Configure Nextflow staging plugin -- https://github.com/Codearte/gradle-nexus-staging-plugin
- * It adds the tasks
- * - closeRepository
- * - releaseRepository
- * - closeAndReleaseRepository
- */
-nexusStaging {
-    packageGroup = 'io.nextflow'
-    delayBetweenRetriesInMillis = 10_000
-}
-
 if( System.env.BUILD_PACK ) {
     apply from: 'packing.gradle'
 }
diff --git a/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy b/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
index 6f5babbe9d..0d4ed66d22 100644
--- a/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
+++ b/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
@@ -61,6 +61,7 @@ class GithubRepositoryPublisher extends DefaultTask {
 
 
     String mergeIndex(List<PluginMeta> mainIndex, Map<String,List<PluginRelease>> pluginsToPublish) {
+        boolean modified = false
 
         for( Map.Entry<String,List<PluginRelease>> item : pluginsToPublish ) {
             final pluginId = item.key
@@ -69,6 +70,7 @@ class GithubRepositoryPublisher extends DefaultTask {
 
             if (!indexEntry) {
                 mainIndex.add(new PluginMeta(id: pluginId, releases: pluginReleases))
+                modified = true
             }
             else {
                 for (PluginRelease rel : pluginReleases) {
@@ -79,11 +81,13 @@ class GithubRepositoryPublisher extends DefaultTask {
                     // if not, add to the index
                     if( !indexRel ) {
                         indexEntry.releases << rel
+                        modified = true
                     }
                     // otherwise, verify the checksum matches
                     else if( indexRel.sha512sum != rel.sha512sum ) {
                         if( overwrite ) {
                             indexEntry.releases[index] = rel
+                            modified = true
                         }
                         else {
                             def msg = "Plugin $pluginId@${rel.version} invalid checksum:\n"
@@ -97,11 +101,15 @@ class GithubRepositoryPublisher extends DefaultTask {
             }
         }
 
-        new GsonBuilder()
+        if ( modified ) {
+            return new GsonBuilder()
                 .setPrettyPrinting()
                 .disableHtmlEscaping()
                 .create()
                 .toJson(mainIndex)
+        } else {
+            return null
+        }
     }
 
     List<PluginMeta> parseMainIndex(GithubClient github, String path) {
@@ -188,10 +196,13 @@ class GithubRepositoryPublisher extends DefaultTask {
         logger.quiet("Merging index")
         final result = mergeIndex(mainIndex, pluginsToPublish)
 
-        // push to github
-        logger.quiet("Publish merged index to $indexUrl")
-
-        github.pushChange(targetFileName, result.toString() + '\n', "Nextflow plugins update")
+        if ( result ) {
+            // push to github
+            logger.quiet("Publish merged index to $indexUrl")
+            github.pushChange(targetFileName, result.toString() + '\n', "Nextflow plugins update")
+        } else {
+            logger.quiet("No changes to index")
+        }
     }
 
 }
diff --git a/docker/Makefile b/docker/Makefile
index e65294f7fe..3c19a9d3e6 100644
--- a/docker/Makefile
+++ b/docker/Makefile
@@ -23,12 +23,6 @@ build-arm: dist/docker/arm64
 	cp ../nextflow .
 	docker buildx build --platform linux/arm64 --output=type=docker --progress=plain --tag nextflow/nextflow:${version} --build-arg TARGETPLATFORM=linux/arm64 .
 
-release: build
-	docker push nextflow/nextflow:${version}
-	#
-	docker tag nextflow/nextflow:${version} public.cr.seqera.io/nextflow/nextflow:${version}
-	docker push public.cr.seqera.io/nextflow/nextflow:${version}
-
 #Static builds can now be found at:
 #
 #  Linux:   https://download.docker.com/linux/static
diff --git a/make-release.sh b/make-release.sh
new file mode 100755
index 0000000000..769e44264d
--- /dev/null
+++ b/make-release.sh
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+set -e
+
+# -----------------------------------------------------------------------------
+# Nextflow release entrypoint
+#
+# This script starts a Nextflow release, and is executed by the `make release`
+# command. It will help guide you through the manual steps required to perform
+# a release, and then trigger a release build on the CI system (Github Actions).
+# -----------------------------------------------------------------------------
+
+cd "$(dirname "$0")"
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+# read the plugin versions
+plugins=()
+plugin_versions=()
+function get_plugin_version() {
+  grep 'Plugin-Version' "$1/src/resources/META-INF/MANIFEST.MF" |\
+    cut -d ':' -f 2 |\
+    xargs
+}
+for plugin in plugins/nf-*; do
+  if [[ -d "$plugin" ]]; then
+    plugins+=("$plugin")
+    plugin_versions+=("$(get_plugin_version "$plugin")")
+  fi
+done
+
+# prompt user to check versions are correct
+echo "
+------------------------
+This will release:
+
+  nextflow: $NF_VERSION
+"
+for i in "${!plugins[@]}"; do
+  plugin_name=$(basename "${plugins[$i]}")
+  echo "  $plugin_name: ${plugin_versions[$i]}"
+done
+echo "------------------------
+
+If these are not the versions you want to release, type 'no' and update the below
+files (without committing), then run this script again:
+  .
+  ├── VERSION
+  ├── nextflow
+  ├── changelog.txt
+  ├── plugins/nf-*/
+  │   ├── src/main/resources/META-INF/MANIFEST.MF
+  │   └── changelog.txt
+  └── modules/nextflow/
+      └── src/main/resources/META-INF/plugins-info.txt
+"
+
+echo -n "Type 'yes' to proceed: "
+read -r proceed
+if [[ "$proceed" != "yes" ]]; then
+  echo "Aborting"
+  exit
+fi
+
+# update the digest files before committing anything
+./gradlew makeDigest
+
+# create the release commit, including text '[release]' to trigger the github action
+# the github action workflow will perform the following tasks
+# - tag the release
+# - build the release artifacts
+# - deploy the release artifacts to maven/docker/S3/etc
+# - create a (pre-release) github release
+# - deploy the plugins, and update the plugin index
+git commit -s -am "Release $NF_VERSION [release]"
+# push the current branch is to the remote origin
+git push origin HEAD
+
+echo "
+------------------------------------------------------------
+Release commit pushed.
+This should trigger a github release workflow.
+Once the workflow is complete, you should check and publish
+the draft github release.
+------------------------------------------------------------
+"
diff --git a/packing.gradle b/packing.gradle
index 07e404c0d9..2ce2c17ca4 100644
--- a/packing.gradle
+++ b/packing.gradle
@@ -29,22 +29,6 @@ ext.mainClassName = 'nextflow.cli.Launcher'
 ext.homeDir = System.properties['user.home']
 ext.nextflowDir = "$homeDir/.nextflow/framework/$version"
 ext.releaseDir = "$buildDir/releases"
-ext.s3CmdOpts="--acl public-read --storage-class STANDARD --region eu-west-1"
-
-protected error(String message) {
-    logger.error message
-    throw new StopExecutionException(message)
-}
-
-protected checkVersionExits(String version) {
-    if(version.endsWith('-SNAPSHOT'))
-        return
-
-    def cmd = "AWS_ACCESS_KEY_ID=${System.env.NXF_AWS_ACCESS} AWS_SECRET_ACCESS_KEY=${System.env.NXF_AWS_SECRET} aws s3 ls s3://www2.nextflow.io/releases/v$version/nextflow"
-    def status=['bash','-c', cmd].execute().waitFor()
-    if( status == 0 )
-        error("STOP!! Version $version already deployed!")
-}
 
 protected resolveDeps( String configName, String... x ) {
 
@@ -125,42 +109,6 @@ task pack( dependsOn: [packOne, packDist]) {
 
 }
 
-task deploy( type: Exec, dependsOn: [clean, compile, pack]) {
-
-    def temp = File.createTempFile('upload',null)
-    temp.deleteOnExit()
-    def files = []
-
-    doFirst {
-        checkVersionExits(version)
-        
-        def path = new File(releaseDir)
-        if( !path.exists() ) error("Releases path does not exist: $path")
-        path.eachFile {
-            if( it.name.startsWith("nextflow-$version"))
-                files << it
-        }
-
-        if( !files ) error("Can't find any file to upload -- Check path: $path")
-        files << file('nextflow').absoluteFile
-        files << file('nextflow.sha1').absoluteFile
-        files << file('nextflow.sha256').absoluteFile
-        files << file('nextflow.md5').absoluteFile
-
-        println "Uploading artifacts: "
-        files.each { println "- $it"}
-
-        def script = []
-        script << "export AWS_ACCESS_KEY_ID=${System.env.NXF_AWS_ACCESS}"
-        script << "export AWS_SECRET_ACCESS_KEY=${System.env.NXF_AWS_SECRET}"
-        script.addAll( files.collect { "aws s3 cp ${it} s3://www2.nextflow.io/releases/v${version}/${it.name} ${s3CmdOpts}"})
-
-        temp.text = script.join('\n')
-    }
-
-    commandLine 'bash', '-e', temp.absolutePath
-}
-
 task installLauncher(type: Copy, dependsOn: ['pack']) {
     from "$releaseDir/nextflow-$version-one.jar"
     into "$homeDir/.nextflow/framework/$version/"
@@ -171,23 +119,6 @@ task installScratch(type: Copy, dependsOn: ['pack']) {
     into "${rootProject.projectDir}/test-e2e/.nextflow/framework/$version/"
 }
 
-/*
- * build, tag and publish a and new docker packaged nextflow release
- */
-task dockerImage(type: Exec) {
-
-    def temp = File.createTempFile('upload',null)
-    temp.deleteOnExit()
-    temp.text =  """\
-    grep $version nextflow
-    cp nextflow docker/nextflow
-    cd docker
-    make release version=$version
-    """.stripIndent()
-
-    commandLine 'bash', '-e', temp.absolutePath
-}
-
 /*
  * Build a docker container image with the current snapshot
  * DO NOT CALL IT DIRECTLY! Use the `make dockerPack` command instead
@@ -229,61 +160,3 @@ task dockerPack(type: Exec, dependsOn: ['packOne']) {
 
     commandLine 'bash', '-e', temp.absolutePath
 }
-
-/*
- * Tag and upload the release
- * 
- * https://github.com/aktau/github-release/
- */
-task release(type: Exec, dependsOn: [pack, dockerImage]) {
-
-    def launcherFile = file('nextflow').absoluteFile
-    def launcherSha1 = file('nextflow.sha1').absoluteFile
-    def launcherSha256 = file('nextflow.sha256').absoluteFile
-    def nextflowAllFile = file("$releaseDir/nextflow-${version}-dist")
-    def versionFile = file('VERSION').absoluteFile
-
-    def snapshot = version ==~ /^.+(-RC\d+|-SNAPSHOT)$/
-    def edge = version ==~ /^.+(-edge|-EDGE)$/
-    def isLatest = !snapshot && !edge
-    def cmd =  """\
-    # tag the release
-    git push || exit \$?
-    (git tag -a v$version -m 'Tagging version $version [release]' -f && git push origin v$version -f) || exit \$?
-    sleep 1
-    gh release create --repo nextflow-io/nextflow --prerelease --title "Version $version" v$version 
-    sleep 1
-    gh release upload --repo nextflow-io/nextflow v$version ${launcherFile} ${nextflowAllFile}        
-    """.stripIndent()
-
-    if( edge )
-        cmd += """
-        # publish the script as the latest
-        export AWS_ACCESS_KEY_ID=${System.env.NXF_AWS_ACCESS}
-        export AWS_SECRET_ACCESS_KEY=${System.env.NXF_AWS_SECRET}
-        aws s3 cp $launcherFile s3://www2.nextflow.io/releases/edge/nextflow $s3CmdOpts
-        aws s3 cp $launcherSha1 s3://www2.nextflow.io/releases/edge/nextflow.sha1 $s3CmdOpts
-        aws s3 cp $launcherSha256 s3://www2.nextflow.io/releases/edge/nextflow.sha256 $s3CmdOpts
-        aws s3 cp $launcherSha256 s3://www2.nextflow.io/releases/edge/nextflow.md5 $s3CmdOpts
-        aws s3 cp $versionFile s3://www2.nextflow.io/releases/edge/version $s3CmdOpts
-        """.stripIndent()
-        
-    else if( isLatest )
-        cmd += """
-        # publish the script as the latest
-        export AWS_ACCESS_KEY_ID=${System.env.NXF_AWS_ACCESS}
-        export AWS_SECRET_ACCESS_KEY=${System.env.NXF_AWS_SECRET}
-        aws s3 cp $launcherFile s3://www2.nextflow.io/releases/latest/nextflow $s3CmdOpts
-        aws s3 cp $launcherSha1 s3://www2.nextflow.io/releases/latest/nextflow.sha1 $s3CmdOpts
-        aws s3 cp $launcherSha256 s3://www2.nextflow.io/releases/latest/nextflow.sha256 $s3CmdOpts
-        aws s3 cp $launcherSha256 s3://www2.nextflow.io/releases/latest/nextflow.md5 $s3CmdOpts
-        aws s3 cp $versionFile s3://www2.nextflow.io/releases/latest/version $s3CmdOpts
-        """.stripIndent()
-
-    def temp = File.createTempFile('upload',null)
-    temp.deleteOnExit()
-    temp.text = cmd
-    commandLine 'bash', '-e', temp.absolutePath
-}
-
-
diff --git a/plugins/build.gradle b/plugins/build.gradle
index 78b2656ffd..b547fa78a3 100644
--- a/plugins/build.gradle
+++ b/plugins/build.gradle
@@ -1,18 +1,9 @@
-import io.nextflow.gradle.tasks.GithubUploader
 import io.nextflow.gradle.tasks.GithubRepositoryPublisher
 import org.apache.commons.codec.digest.DigestUtils
 
 apply plugin: 'java'
 apply plugin: "io.nextflow.nf-build-plugin"
 
-ext.github_organization = 'nextflow-io'
-ext.github_username = project.findProperty('github_username') ?: 'pditommaso'
-ext.github_access_token = project.findProperty('github_access_token') ?: System.getenv('GITHUB_TOKEN')
-ext.github_commit_email = project.findProperty('github_commit_email') ?: 'paolo.ditommaso@gmail.com'
-ext.aws_access_key_id = project.findProperty('aws_access_key_id') ?: System.getenv('AWS_ACCESS_KEY_ID')
-ext.aws_secret_access_key = project.findProperty('aws_secret_access_key') ?: System.getenv('AWS_SECRET_ACCESS_KEY')
-ext.publishRepoUrl = project.findProperty('publish_repo_url') ?: System.getenv('PUBLISH_REPO_URL') ?: ( version.endsWith('-SNAPSHOT') ? "s3://maven.seqera.io/snapshots" : "s3://maven.seqera.io/releases" )
-
 jar.enabled = false
 
 String computeSha512(File file) {
@@ -120,24 +111,6 @@ subprojects {
     */
     project.parent.tasks.getByName("assemble").dependsOn << copyPluginZip
 
-
-    /*
-     * Upload the plugin zip & json meta file to the corresponding GitHub repo
-     */
-    task uploadPlugin(type: GithubUploader, dependsOn: makeZip) {
-        group 'nextflow'
-        assets = providers.provider {["$buildDir/libs/${project.name}-${project.version}.zip",
-                                      "$buildDir/libs/${project.name}-${project.version}-meta.json" ]}
-        release = providers.provider { project.version }
-        unstable = providers.provider { project.version.endsWith('-SNAPSHOT') }
-        repo = providers.provider { project.name }
-        owner = github_organization
-        userName = github_username
-        authToken = github_access_token
-        skipExisting = true
-        ignore = true
-    }
-
     jar {
         from sourceSets.main.allSource
         doLast {
@@ -162,23 +135,25 @@ subprojects {
         }
         repositories {
             maven {
-                url = publishRepoUrl
+                url = findProperty('maven_publish_url') ?: System.getenv('MAVEN_PUBLISH_URL')
+                url = version.endsWith('-SNAPSHOT') ? "$url/snapshots" : "$url/releases"
+
                 credentials(AwsCredentials) {
-                    // keys are defined in the `gradle.properties` file
-                    accessKey aws_access_key_id
-                    secretKey aws_secret_access_key
+                    accessKey = findProperty('aws_access_key_id') ?: System.getenv('AWS_ACCESS_KEY_ID')
+                    secretKey = findProperty('aws_secret_access_key') ?: System.getenv('AWS_SECRET_ACCESS_KEY')
                 }
             }
         }
     }
 
-
 }
 
-/*
- * Upload all plugins to the corresponding GitHub repos
+/**
+ * Publish jars to maven repositories
  */
-task upload(dependsOn: [subprojects.uploadPlugin, subprojects.publish]) { }
+task publishPluginsToMaven {
+    dependsOn subprojects.publish
+}
 
 /*
  * Copies the plugins required dependencies in the corresponding lib directory
@@ -194,10 +169,10 @@ project.parent.tasks.getByName("assemble").dependsOn << assemble
  * Merge and publish the plugins index file
  */
 task publishIndex( type: GithubRepositoryPublisher ) {
-    indexUrl = 'https://github.com/nextflow-io/plugins/main/plugins.json'
+    indexUrl = project.findProperty('plugins_index_url') ?: System.getenv('PLUGINS_INDEX_JSON')
     repos = allPlugins()
-    owner = github_organization
-    githubUser = github_username
-    githubEmail = github_commit_email
-    githubToken = github_access_token
+    owner = project.findProperty('github_organization') ?: System.getenv('GH_ORG')
+    githubUser = project.findProperty('github_username') ?: System.getenv('GH_USER')
+    githubEmail = project.findProperty('github_commit_email') ?: System.getenv('GH_USER_EMAIL')
+    githubToken =  project.findProperty('github_access_token') ?: System.getenv('GH_TOKEN')
 }
diff --git a/release/deploy-plugins-to-github.sh b/release/deploy-plugins-to-github.sh
new file mode 100755
index 0000000000..4fa333469f
--- /dev/null
+++ b/release/deploy-plugins-to-github.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+GH_ORG=${GH_ORG:-'nextflow-io'}
+
+# function to extract plugin version from manifest
+function get_plugin_version() {
+  grep 'Plugin-Version' "$1/src/resources/META-INF/MANIFEST.MF" |\
+    cut -d ':' -f 2 |\
+    xargs
+}
+
+# deploy plugin artifacts to github releases
+echo "
+----------------------------------
+-- Publishing plugins to github --
+----------------------------------
+"
+
+for plugin in plugins/nf-*; do
+  if [[ -d "$plugin" ]]; then
+    # get plugin name and version
+    plugin_name=$(basename "$plugin")
+    plugin_repo="$GH_ORG/$plugin_name"
+    plugin_version=$(get_plugin_version "$plugin")
+
+    # check if release already exists
+    release_exists=false
+    gh release view --repo "$plugin_repo" "$plugin_version" > /dev/null 2>&1 \
+      && release_exists=true
+
+    # if not exists, create github release, with zip & meta json files
+    if [[ $release_exists == true ]]; then
+      echo "Plugin $plugin_name $plugin_version already deployed to github, skipping"
+    else
+      gh release create \
+        --repo "$plugin_repo" \
+        --title "Version $plugin_version" \
+        "$plugin_version" \
+        "$plugin/build/libs/$plugin_name-$plugin_version.zip" \
+        "$plugin/build/libs/$plugin_name-$plugin_version-meta.json"
+    fi
+  fi
+done
+
+echo "Done"
diff --git a/release/deploy-plugins-to-maven.sh b/release/deploy-plugins-to-maven.sh
new file mode 100755
index 0000000000..238093625a
--- /dev/null
+++ b/release/deploy-plugins-to-maven.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+echo "
+---------------------------------
+-- Publishing plugins to maven --
+---------------------------------
+"
+
+# the release process should have already built the jars, so to avoid re-compiling everything
+# we can tell gradle to skip all non publish/publication related tasks
+./gradlew publishPluginsToMaven \
+  $( ./gradlew publishPluginsToMaven --dry-run | grep -iv 'publish\|publication' | awk '/^:/ { print "-x" $1 }')
+
+echo "Done"
diff --git a/release/deploy-to-docker.sh b/release/deploy-to-docker.sh
new file mode 100755
index 0000000000..4779582f73
--- /dev/null
+++ b/release/deploy-to-docker.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+# build the docker image
+echo "
+---------------------------------------
+-- Building nextflow container image --
+---------------------------------------
+"
+cd docker
+make build version="$NF_VERSION"
+
+# push to docker hub
+echo "
+-------------------------------------
+-- Pushing container to docker hub --
+-------------------------------------
+"
+IMAGE_TAG="nextflow/nextflow:$NF_VERSION"
+docker push "$IMAGE_TAG"
+
+# push to seqera registry
+echo "
+------------------------------------------
+-- Pushing container to seqera registry --
+------------------------------------------
+"
+if [ -z "$SEQERA_CONTAINER_REGISTRY" ]; then
+  echo "Missing env var SEQERA_CONTAINER_REGISTRY"
+  exit 1
+fi
+SEQERA_IMAGE_TAG="$SEQERA_CONTAINER_REGISTRY/$IMAGE_TAG"
+
+docker tag "$IMAGE_TAG" "$SEQERA_IMAGE_TAG"
+docker push "$SEQERA_IMAGE_TAG"
+
+echo "Done"
diff --git a/release/deploy-to-github.sh b/release/deploy-to-github.sh
new file mode 100755
index 0000000000..f647be5b03
--- /dev/null
+++ b/release/deploy-to-github.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+function get_change_notes() {
+  # extract the most recent changelog notes from 'changelog.txt',
+  # which should have been manually updated for the release
+  #
+  # TODO eventually replace with proper automated changelog generation
+  is_relevant=false
+  while IFS="" read -r line || [ -n "$line" ]
+  do
+    # ignore all lines until we find the correct version
+    if [[ "$line" == "$NF_VERSION "* ]]; then
+      is_relevant=true
+    fi
+
+    # then, if line starts with a dash, add to notes
+    if [[ "$is_relevant" == true && "$line" == -* ]] ; then
+      printf '%s\n' "$line"
+    fi
+    # until the first empty line
+    if [[ "$is_relevant" == true && -z "$line" ]]; then
+      break
+    fi
+  done < changelog.txt
+}
+
+echo "
+-------------------------------------------
+-- Publishing nextflow release to github --
+-------------------------------------------
+"
+
+# create a github (pre)release and attach launcher and dist files
+# use --verify-tag to fail if tag doesn't exist
+notes=$(get_change_notes)
+
+# if edge version, mark as pre-release
+if [[ "$NF_VERSION" =~ .+(-edge|-EDGE) ]]; then
+  prerelease='--prerelease'
+else
+  prerelease=
+fi
+
+gh release create \
+  --draft $prerelease \
+  --title "Version $NF_VERSION" \
+  --notes "$notes" \
+  --verify-tag \
+  "v$NF_VERSION" \
+  nextflow \
+  "build/releases/nextflow-$NF_VERSION-dist"
+
+echo "Done"
diff --git a/release/deploy-to-maven.sh b/release/deploy-to-maven.sh
new file mode 100755
index 0000000000..78c2562784
--- /dev/null
+++ b/release/deploy-to-maven.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+echo "
+---------------------------------------
+-- Publishing nextflow jars to maven --
+---------------------------------------
+"
+
+# the release process should have already built the jars, so to avoid re-compiling everything
+# we can tell gradle to skip all non publish/publication related tasks
+./gradlew publishToMaven \
+  $( ./gradlew publishToMaven --dry-run | grep -iv 'publish\|publication' | awk '/^:/ { print "-x" $1 }')
+
+echo "Done"
diff --git a/release/deploy-to-s3.sh b/release/deploy-to-s3.sh
new file mode 100755
index 0000000000..d56e4dd2cc
--- /dev/null
+++ b/release/deploy-to-s3.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+echo "
+-------------------------------------------
+-- Uploading nextflow distribution to S3 --
+-------------------------------------------
+"
+
+S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
+S3_RELEASE_DIR="releases/v$NF_VERSION"
+
+# check if the release already exists
+release_exists=false
+aws s3api head-object --bucket "$S3_RELEASE_BUCKET" --key "$S3_RELEASE_DIR/nextflow" > /dev/null 2>&1 \
+  && release_exists=true
+
+if [[ $release_exists == true ]]; then
+  echo "Version $NF_VERSION already deployed to S3, skipping"
+  exit
+fi
+
+# collect files to deploy
+files=(build/releases/nextflow-"$NF_VERSION"-*)
+if [[ ${#files[@]} -eq 0 ]]; then
+  echo "ERROR - can't find any files to upload"
+  exit 1
+fi
+files+=(
+  'nextflow'
+  'nextflow.sha1'
+  'nextflow.sha256'
+  'nextflow.md5'
+)
+
+# upload them to s3 bucket
+for file in "${files[@]}"; do
+  filename=$(basename "$file")
+  aws s3 cp "$file" "s3://$S3_RELEASE_BUCKET/$S3_RELEASE_DIR/$filename" \
+    --no-progress \
+    --storage-class STANDARD \
+    --region eu-west-1 \
+    --acl public-read
+done
+
+echo "Done"
diff --git a/release/main.sh b/release/main.sh
new file mode 100644
index 0000000000..2ecee62fe1
--- /dev/null
+++ b/release/main.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -e
+
+# -----------------------------------------------------------------------------
+# Nextflow release script
+#
+# This is the orchestration script for Nextflow releases.
+#
+# It is intended to be run by 'headless' CI environments (eg Github Actions)
+# to execute a release.You probably don't want to run this script directly.
+#
+# Instead, use the `make release` command to be guided through the process.
+# -----------------------------------------------------------------------------
+
+# set defaults for unspecified env vars
+export GH_ORG=${GH_ORG:-'nextflow-io'}
+export GH_USER=${GH_USER:-'pditommaso'} # TODO - use a service user for releases
+export GH_USER_EMAIL=${GH_USER_EMAIL:-'paolo.ditommaso@gmail.com'}
+
+export MAVEN_PUBLISH_URL=${MAVEN_PUBLISH_URL:-'s3://maven.seqera.io'}
+export PLUGINS_INDEX_JSON=${PLUGINS_INDEX_JSON:-'https://github.com/nextflow-io/plugins/main/plugins.json'}
+export S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
+export SEQERA_CONTAINER_REGISTRY=${SEQERA_CONTAINER_REGISTRY:-'public.cr.seqera.io'}
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+# build artifacts
+make distribution
+
+# tag release
+./release/tag-release.sh
+
+# deploy to maven
+./release/deploy-to-maven.sh
+
+# deploy to S3
+./release/deploy-to-s3.sh
+
+# deploy to docker
+./release/deploy-to-docker.sh
+
+# deploy to github
+./release/deploy-to-github.sh
+
+# deploy plugins
+./release/deploy-plugins-to-maven.sh
+./release/deploy-plugins-to-github.sh
+./release/update-plugins-index.sh
+
+# finally, publish the new launcher
+./release/publish-launcher-script.sh
diff --git a/release/publish-launcher-script.sh b/release/publish-launcher-script.sh
new file mode 100755
index 0000000000..7ee69ec937
--- /dev/null
+++ b/release/publish-launcher-script.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+echo "
+-----------------------------------------------
+-- Publishing nextflow launcher script to S3 --
+-----------------------------------------------
+"
+
+# determine publish location based on release type
+S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
+if [[ "$NF_VERSION" =~ .+(-edge|-EDGE) ]]; then
+  S3_RELEASE_DIR="releases/edge"
+else
+  S3_RELEASE_DIR="releases/latest"
+fi
+
+# collect the files we need to publish
+files+=(
+  'nextflow'
+  'nextflow.sha1'
+  'nextflow.sha256'
+  'nextflow.md5'
+  'VERSION'
+)
+
+# publish them to S3
+for file in "${files[@]}"; do
+  filename=$(echo "$file" | tr '[:upper:]' '[:lower:]')
+  aws s3 cp "$file" "s3://$S3_RELEASE_BUCKET/$S3_RELEASE_DIR/$filename" \
+    --no-progress \
+    --storage-class STANDARD \
+    --region eu-west-1 \
+   --acl public-read
+done
+
+echo "Done"
diff --git a/release/tag-release.sh b/release/tag-release.sh
new file mode 100755
index 0000000000..1400e503bc
--- /dev/null
+++ b/release/tag-release.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+echo "
+----------------------
+-- Creating git tag --
+----------------------
+"
+
+# create & push a git tag
+git tag "v$NF_VERSION"
+git push origin "v$NF_VERSION"
+
+echo "Done"
diff --git a/release/update-plugins-index.sh b/release/update-plugins-index.sh
new file mode 100755
index 0000000000..5d8de4eccf
--- /dev/null
+++ b/release/update-plugins-index.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+echo "
+----------------------------
+-- Updating plugins index --
+----------------------------
+"
+
+./gradlew plugins:publishIndex
+
+echo "Done"