diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
new file mode 100644
index 0000000..6a58e14
--- /dev/null
+++ b/.gitea/workflows/deploy.yml
@@ -0,0 +1,59 @@
+name: Create Release
+
+on:
+  push:
+    tags:
+      - '*'
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Import Secrets
+        id: import-secrets
+        uses: hashicorp/vault-action@v2
+        with:
+          url: ${{ env.VAULT_ADDR }}
+          method: ${{ env.VAULT_AUTH_TYPE}}
+          roleId: ${{ env.VAULT_APPROLE_ID }}
+          secretId: ${{ env.VAULT_APPROLE_SECRET }}
+          secrets: |
+            passwords/data/ssh id_ecdsa | DEPLOY_KEY;
+            passwords/data/ssh ssh_config | SSH_CONFIG;
+            passwords/data/git.mthie.com gitconfig | GITCONFIG;
+            passwords/data/git.mthie.com api_key | API_TOKEN
+
+      - uses: actions/checkout@v3
+
+      - name: init system
+        run: |
+          mkdir -p ~/.ssh && chmod 700 ~/.ssh
+          git config --global user.email "github@mthie.com"
+          git config --global user.name "Gitea Cron"
+          git config pull.rebase true
+          echo "${{ env.DEPLOY_KEY }}" > ~/.ssh/id_ecdsa
+          echo "${{ env.SSH_CONFIG }}" > ~/.ssh/config
+          echo '${{ env.GITCONFIG }}' > ~/.gitconfig
+          cat ~/.gitconfig
+          ssh-keyscan -t rsa git.mthie.com >> ~/.ssh/known_hosts
+          chmod 400 ~/.ssh/id_ecdsa ~/.ssh/config
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '1.21'
+          check-latest: true
+
+      - name: Build binary
+        run: |
+          go get ./...
+          go build -o bin/vault *.go
+
+      - name: Create Release
+        uses: https://gitea.com/actions/release-action@main
+        with:
+          files: |-
+            bin/**            
+          api_key: '${{ env.API_TOKEN }}'