diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 75ecfa3075..0e39c80fdf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -203,6 +203,23 @@ jobs:
           tar xf targets.tar
           rm targets.tar
 
+      - name: Import signing key
+        if: env.PGP_SECRET != '' && env.PGP_PASSPHRASE == ''
+        env:
+          PGP_SECRET: ${{ secrets.PGP_SECRET }}
+          PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
+        run: echo $PGP_SECRET | base64 -d -i - | gpg --import
+
+      - name: Import signing key and strip passphrase
+        if: env.PGP_SECRET != '' && env.PGP_PASSPHRASE != ''
+        env:
+          PGP_SECRET: ${{ secrets.PGP_SECRET }}
+          PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
+        run: |
+          echo "$PGP_SECRET" | base64 -d -i - > /tmp/signing-key.gpg
+          echo "$PGP_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --import /tmp/signing-key.gpg
+          (echo "$PGP_PASSPHRASE"; echo; echo) | gpg --command-fd 0 --pinentry-mode loopback --change-passphrase $(gpg --list-secret-keys --with-colons 2> /dev/null | grep '^sec:' | cut --delimiter ':' --fields 5 | tail -n 1)
+
       - name: Package repl
         run: sbt scio-repl/assembly
 
diff --git a/build.sbt b/build.sbt
index d329d1cdfa..4c8c0706bf 100644
--- a/build.sbt
+++ b/build.sbt
@@ -263,20 +263,20 @@ val skipUnauthorizedGcpGithubWorkflow = Def.setting {
 
 ThisBuild / githubWorkflowTargetBranches := Seq("main")
 ThisBuild / githubWorkflowJavaVersions := Seq(javaDefault, java17, java21) // default MUST be head
-ThisBuild / githubWorkflowBuildPreamble := Seq(githubWorkflowGcpAuthStep, githubWorkflowSetupStep)
-ThisBuild / githubWorkflowBuildPostamble := Seq(
+ThisBuild / githubWorkflowBuildPreamble ++= Seq(githubWorkflowGcpAuthStep, githubWorkflowSetupStep)
+ThisBuild / githubWorkflowBuildPostamble ++= Seq(
   WorkflowStep.Sbt(
     List("undeclaredCompileDependenciesTest", "unusedCompileDependenciesTest"),
     name = Some("Check dependencies")
   )
 )
-ThisBuild / githubWorkflowPublishPreamble := Seq(
+ThisBuild / githubWorkflowPublishPreamble ++= Seq(
   WorkflowStep.Sbt(
     List("scio-repl/assembly"),
     name = Some("Package repl")
   )
 )
-ThisBuild / githubWorkflowPublishPostamble := Seq(
+ThisBuild / githubWorkflowPublishPostamble ++= Seq(
   WorkflowStep.Use(
     UseRef.Public("softprops", "action-gh-release", "v1"),
     Map(