diff --git a/.github/workflows/deploy_snapshot.yml b/.github/workflows/deploy_snapshot.yml
new file mode 100644
index 000000000..bd226e1f0
--- /dev/null
+++ b/.github/workflows/deploy_snapshot.yml
@@ -0,0 +1,39 @@
+on:
+  push:
+    branches:
+      - master
+
+name: Deploy snapshot builds
+jobs:
+  deploy-release-snapshot:
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v1
+
+    - name: Decrypt secrets
+      run: release/signing-setup.sh "$ENCRYPT_KEY"
+      env:
+        ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
+
+    - name: Download gradle dependencies
+      run: ./gradlew dependencies
+
+    - name: Validate codestyle with Spotless
+      run: ./gradlew spotlessCheck
+
+    - name: Build release app
+      run: ./gradlew :app:assembleRelease
+
+    - name: Clean secrets
+      run: release/signing-cleanup.sh
+
+    - name: Deploy snapshot
+      run: release/deploy-snapshot.sh
+      env:
+        ACTIONS_DEPLOY_KEY: ${{ secrets.ACTIONS_DEPLOY_KEY }}
+        SSH_USERNAME: ${{ secrets.SSH_USERNAME }}
+        SERVER_ADDRESS: ${{ secrets.SERVER_ADDRESS }}
+        SERVER_DESTINATION: ${{ secrets.SERVER_DESTINATION }}
+        SSH_PORT: ${{ secrets.SSH_PORT }}
diff --git a/.github/workflows/push.yml b/.github/workflows/pull_request.yml
similarity index 83%
rename from .github/workflows/push.yml
rename to .github/workflows/pull_request.yml
index 8edffd42a..e158846c7 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/pull_request.yml
@@ -1,7 +1,8 @@
-on: [push, pull_request]
-name: CI builds
+on: pull_request
+
+name: Check pull request
 jobs:
-  setup-android:
+  test-pr:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
diff --git a/.gitignore b/.gitignore
index 71d6cdf76..29f7f9426 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,5 @@ project.properties
 .vscode/
 
 captures/
+
+keystore.*
diff --git a/app/build.gradle b/app/build.gradle
index 6145fe13d..9a654564d 100644
--- a/app/build.gradle
+++ b/app/build.gradle
@@ -12,7 +12,28 @@ repositories {
     maven { url 'https://jitpack.io' }
 }
 
+final def keystorePropertiesFile = rootProject.file 'keystore.properties'
+
+final def gitHash = { ->
+    final def stdout = new ByteArrayOutputStream()
+    exec {
+        commandLine 'git', 'describe', '--tags'
+        standardOutput = stdout
+    }
+    stdout.toString().trim()
+}
+
+static final def isCi() {
+    return System.env['GITHUB_WORKFLOW'] != null
+}
+
 android {
+    android.applicationVariants.all { final variant ->
+        variant.outputs.all {
+            outputFileName = "aps_${isCi() ? versions.versionName : gitHash()}.apk"
+        }
+    }
+
     defaultConfig {
         applicationId 'com.zeapo.pwdstore'
     }
@@ -40,28 +61,19 @@ android {
         }
     }
 
-    /*
-     * To sign release builds, create the file `gradle.properties` in
-     * $HOME/.gradle or in your project directory with this content:
-     *
-     * mStoreFile=/path/to/key.store
-     * mStorePassword=xxx
-     * mKeyAlias=alias
-     * mKeyPassword=xxx
-     */
-    if (project.hasProperty('mStoreFile') &&
-            project.hasProperty('mStorePassword') &&
-            project.hasProperty('mKeyAlias') &&
-            project.hasProperty('mKeyPassword')) {
+    if (keystorePropertiesFile.exists()) {
+        final def keystoreProperties = new Properties()
+        keystoreProperties.load(new FileInputStream(keystorePropertiesFile))
         signingConfigs {
             release {
-                storeFile = file(project.properties['mStoreFile'] as String)
-                storePassword = project.properties['mStorePassword'] as String
-                keyAlias = project.properties['mKeyAlias'] as String
-                keyPassword = project.properties['mKeyPassword'] as String
+                keyAlias = keystoreProperties['keyAlias']
+                keyPassword = keystoreProperties['keyPassword']
+                storeFile = rootProject.file keystoreProperties['storeFile']
+                storePassword = keystoreProperties['storePassword']
             }
         }
         buildTypes.release.signingConfig = signingConfigs.release
+        buildTypes.debug.signingConfig = signingConfigs.release
     }
 }
 
diff --git a/dependencies.gradle b/dependencies.gradle
index 93e185b67..d19989c35 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -7,13 +7,13 @@ ext.versions = [
     targetSdk: 29,
     compileSdk: 29,
     versionCode: 10303,
-    versionName: '1.3.3',
+    versionName: '1.3.4-SNAPSHOT',
     buildTools: '29.0.2'
 ]
 
 ext.deps = [
     gradle_plugin: [
-        android: 'com.android.tools.build:gradle:3.5.2',
+        android: 'com.android.tools.build:gradle:3.5.3',
         kotlin: 'org.jetbrains.kotlin:kotlin-gradle-plugin:1.3.61',
         spotless: 'com.diffplug.spotless:spotless-plugin-gradle:3.26.1'
     ],
diff --git a/release/deploy-github.sh b/release/deploy-github.sh
new file mode 100755
index 000000000..42a984c4b
--- /dev/null
+++ b/release/deploy-github.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+trap 'exit 1' SIGINT SIGTERM
+
+[ -z "$(command -v hub)" ] && { echo "hub not installed; aborting!"; exit 1; }
+TAG="${1}"
+hub tag -afs "${TAG:?}"
+gradle clean bundleRelease assembleRelease
+hub release create "${TAG}" -a app/build/outputs/apk/release/aps_"${TAG}".apk
diff --git a/release/deploy-snapshot.sh b/release/deploy-snapshot.sh
new file mode 100755
index 000000000..e5d64b0d3
--- /dev/null
+++ b/release/deploy-snapshot.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env sh
+
+export SSHDIR="$HOME/.ssh"
+mkdir -p "$SSHDIR"
+echo "$ACTIONS_DEPLOY_KEY" > "$SSHDIR/key"
+chmod 600 "$SSHDIR/key"
+export SERVER_DEPLOY_STRING="$SSH_USERNAME@$SERVER_ADDRESS:$SERVER_DESTINATION"
+cd "$GITHUB_WORKSPACE/app/build/outputs/apk/release"
+rm output.json
+rsync -ahvcr --omit-dir-times --progress --delete --no-o --no-g -e "ssh -i $SSHDIR/key -o StrictHostKeyChecking=no -p $SSH_PORT" . "$SERVER_DEPLOY_STRING" || true
+exit 0
diff --git a/release/keystore.cipher b/release/keystore.cipher
new file mode 100644
index 000000000..269ed5efe
Binary files /dev/null and b/release/keystore.cipher differ
diff --git a/release/props.cipher b/release/props.cipher
new file mode 100644
index 000000000..986eab147
--- /dev/null
+++ b/release/props.cipher
@@ -0,0 +1,2 @@
+Salted__��4��Ӏ�~O�j�
+��r&4�Y���՝u�D~R+��s�'�
�[��u�ӯ�v�Iه�� �ن�q/�L4�O��F���U��x4"	#.���R������W�!��l#ܑ�hRq(H"ǶI1��S�}İ��Ҹc	�c�
\ No newline at end of file
diff --git a/release/signing-cleanup.sh b/release/signing-cleanup.sh
new file mode 100755
index 000000000..babe793e6
--- /dev/null
+++ b/release/signing-cleanup.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Delete Release key
+rm -f keystore.jks
+
+# Delete signing config
+rm -f keystore.properties
diff --git a/release/signing-setup.sh b/release/signing-setup.sh
new file mode 100755
index 000000000..b60902ee5
--- /dev/null
+++ b/release/signing-setup.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+ENCRYPT_KEY=$1
+
+if [[ -n "$ENCRYPT_KEY" ]]; then
+    # Decrypt Release key
+    openssl enc -aes-256-cbc -md sha256 -d -in release/keystore.cipher -out keystore.jks -k "${ENCRYPT_KEY}"
+
+    # Decrypt signing config
+    openssl enc -aes-256-cbc -md sha256 -d -in release/props.cipher -out keystore.properties -k "${ENCRYPT_KEY}"
+else
+    echo "ENCRYPT_KEY is empty"
+fi