diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2a25181..4c5d66b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,10 +1,17 @@
-# Publish release artifacts to Maven Central when a GitHub Release is created.
-# See DEPLOY.md for required repository secrets and release process.
+# Publish release artifacts to Maven Central when a GitHub Release is created,
+# or when this workflow is run manually from the Actions tab.
+# See DEPLOY.md for required release environment secrets and release process.
 name: publish
 
 on:
   release:
     types: [created]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: Release tag to publish (for example v1.2.0)
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -12,6 +19,7 @@ permissions:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    environment: release
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -22,7 +30,7 @@ jobs:
       - name: Checkout release tag
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ github.event.release.tag_name }}
+          ref: ${{ github.event.release.tag_name || github.event.inputs.tag }}
 
       - name: Setup Java and Maven Central credentials
         uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
@@ -47,7 +55,7 @@ jobs:
             -DnewVersion="$VERSION" \
             -DgenerateBackupPoms=false
         env:
-          TAG_NAME: ${{ github.event.release.tag_name }}
+          TAG_NAME: ${{ github.event.release.tag_name || github.event.inputs.tag }}
 
       - name: Verify formatting
         run: mvn -B spotless:check
diff --git a/DEPLOY.md b/DEPLOY.md
index e6f8ab1..16ecfae 100644
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -13,11 +13,34 @@ This project publishes through the [Sonatype Central Portal](https://central.son
 
 ## Publish with GitHub Actions
 
-Creating a [GitHub Release](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release) runs [`.github/workflows/publish.yml`](.github/workflows/publish.yml). The workflow checks out the release tag, aligns `pom.xml` version with the tag (for example `v1.2.0` → `1.2.0`), runs Spotless and tests, then runs `mvn clean deploy`.
+Creating a [GitHub Release](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release) runs [`.github/workflows/publish.yml`](.github/workflows/publish.yml). You can also run the workflow manually from **Actions → publish → Run workflow**, providing the release tag (for example `v1.2.0`).
 
-### Repository secrets
+The workflow checks out the release tag, aligns `pom.xml` version with the tag (for example `v1.2.0` → `1.2.0`), runs Spotless and tests, then runs `mvn clean deploy`.
 
-Configure these under **Settings → Secrets and variables → Actions**:
+### Trigger manually from the CLI
+
+Use the [GitHub CLI](https://cli.github.com/) (`gh auth login` if needed). From a clone of this repo:
+
+```bash
+gh workflow run publish -f tag=v1.2.0
+```
+
+From another directory, pass the repository explicitly:
+
+```bash
+gh workflow run publish --repo coinbase/core-java -f tag=v1.2.0
+```
+
+Watch the latest run or list recent publish runs:
+
+```bash
+gh run watch
+gh run list --workflow=publish
+```
+
+### Release environment secrets
+
+Configure these under **Settings → Environments → release → Environment secrets** (the publish job uses the `release` environment):
 
 | Secret | Description |
 |--------|-------------|