diff --git a/.forgejo/workflows/tag-release.yml b/.forgejo/workflows/tag-release.yml
index 3bd09b0..428ec72 100644
--- a/.forgejo/workflows/tag-release.yml
+++ b/.forgejo/workflows/tag-release.yml
@@ -19,6 +19,7 @@ on:
           - cache
           - checkout
           - download-artifact
+          - esb-deploy
           - helm-deploy
           - i18n-sync
           - inject-content
@@ -26,6 +27,8 @@ on:
           - pnpm-build
           - playwright-merge
           - playwright-run
+          - publish-npm-package
+          - publish-rust-crate
           - publish-static-contents
           - rust-build
           - terraform-apply
diff --git a/README.md b/README.md
index cf223c2..66f3ecf 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,8 @@ Shared actions for Forgejo CI/CD pipelines.
 | [pnpm-build](pnpm-build) | Action for building and validating with PNPM |
 | [playwright-merge](playwright-merge) | Merge Playwright shard blob reports and publish consolidated reports |
 | [playwright-run](playwright-run) | Run Playwright tests for one shard and upload its blob report |
+| [publish-npm-package](publish-npm-package) | Publish a PNPM package to JFrog Artifactory |
+| [publish-rust-crate](publish-rust-crate) | Publish a Rust crate to JFrog Artifactory |
 | [publish-static-contents](publish-static-contents) | Syncs frontend assets to S3 and invalidates a CloudFront distribution |
 | [rust-build](rust-build) | Set up Rust toolchain, run checks, and build via the project's build.sh |
 | [terraform-apply](terraform-apply) | Apply Terraform configuration files using the official Terraform CLI |
diff --git a/esb-deploy/README.md b/esb-deploy/README.md
new file mode 100644
index 0000000..ae02466
--- /dev/null
+++ b/esb-deploy/README.md
@@ -0,0 +1,32 @@
+# esb-deploy
+
+Deploy a service to an ESB docker host.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `docker-host` | Yes | - | esbdb3.schmalzgroup.net, esbdb4.schmalzgroup.net, esbdb2-stage.schmalzgroup.net|
+| `java-version` | Yes | 25 | Same as default of the maven-build action |
+| `maven-profile` | No | `test` | Maven profile to activate during deploy |
+| `maven-settings` | **Yes** | — | Secret containing the `settings.xml` content used for repository authentication |
+| `service` | Yes | — | Name of the service to deploy |
+| `stage` | No | true | If true this is a stage deployment |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/esb-deploy@esb-deploy-v1
+  with:
+    service: my-service
+    docker-host: esbdocker2-stage.schmalzgroup.net
+    java-version: 8
+    maven-profile: test
+    maven-settings: ${{ secrets.MAVEN_SETTINGS }}
+    stage: true
+```
+
+## Notes
+
+- The compose files are extracted from variables. They can be provided on the organization or repository level.
+- The action uses the maven-build action to build the service. The pom.xml has to be in the root directory
diff --git a/esb-deploy/action.yml b/esb-deploy/action.yml
new file mode 100644
index 0000000..584274e
--- /dev/null
+++ b/esb-deploy/action.yml
@@ -0,0 +1,64 @@
+name: Deploy ESB
+description: Deploy a service to an ESB docker host.
+
+inputs:
+  docker-host:
+    description: Docker host to deploy to
+    required: true
+  maven-profile:
+    required: false
+    default: 'test'
+    description: 'Maven profile to use for the build'
+  maven-settings:
+    description: Secret containing the settings.xml content used for repository authentication
+    required: true
+  java-version:
+    description: Java version to use for the build
+    required: true
+  service:
+    description: Name of the service to deploy
+    required: true
+  stage:
+    description: Whether to deploy to stage environment (true) or production environment (false)
+    required: false
+    default: 'true'
+
+runs:
+  using: composite
+  steps:
+    - name: Create compose files
+      shell: bash
+      env:
+        BASE_COMPOSE: ${{ vars.DOCKER_COMPOSE }}
+        SU_COMPOSE: ${{ vars.DOCKER_COMPOSE_SU }}
+      run: |
+         printf '%s\n' "$BASE_COMPOSE" > compose.yml
+         printf '%s\n' "$SU_COMPOSE" > compose-su.yml
+
+    - uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/maven-build@maven-build-v1
+      with:
+        phase: verify
+        maven-settings: ${{ inputs.maven-settings }}
+        verify-goals: clean package
+        java-version: ${{ inputs.java-version }}
+        maven-profile: ${{ inputs.maven-profile}}
+
+    - name: Compose stage
+      if: ${{ inputs.stage == 'true' }}
+      shell: bash
+      env: 
+        SERVICE: ${{ inputs.service }}
+      run: |
+        echo "Deploying $SERVICE to stage environment"
+        export DOCKER_HOST="tcp://${{ inputs.docker-host }}:2375"
+        docker compose -f compose.yml -f compose-su.yml up -d --build --no-deps "$SERVICE"
+
+    - name: Compose prod
+      if: ${{ inputs.stage != 'true' }}
+      shell: bash
+      env: 
+        SERVICE: ${{ inputs.service }}
+      run: |
+        echo "Deploying $SERVICE to production environment"
+        export DOCKER_HOST="tcp://${{ inputs.docker-host }}:2375"
+        docker compose -f compose.yml up -d --build  --no-deps "$SERVICE"
diff --git a/maven-build/action.yml b/maven-build/action.yml
index 961bc28..6b16ded 100644
--- a/maven-build/action.yml
+++ b/maven-build/action.yml
@@ -94,9 +94,11 @@ runs:
       env:
         VERIFY_GOALS: ${{ inputs.verify-goals }}
         EXTRA_ARGS: ${{ inputs.extra-args }}
+        MAVEN_PROFILE: ${{ inputs.maven-profile }}
       run: |
         mvn --batch-mode $VERIFY_GOALS \
           -s /tmp/maven-settings.xml \
+          -P "$MAVEN_PROFILE" \
           $EXTRA_ARGS
 
     - name: Deploy
diff --git a/publish-npm-package/README.md b/publish-npm-package/README.md
new file mode 100644
index 0000000..7411507
--- /dev/null
+++ b/publish-npm-package/README.md
@@ -0,0 +1,28 @@
+# publish-npm-package
+
+Publish a PNPM package to JFrog Artifactory.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | No | `.` | Directory containing `package.json` |
+| `node-version` | No | `24` | Node.js version |
+| `pnpm-version` | No | `10.33` | pnpm version |
+| `jfrog-token` | Yes | — | JFrog npm auth token |
+| `registry-url` | No | `https://schmalz.jfrog.io/artifactory/api/npm/default-npm/` | npm registry URL |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/publish-npm-package@publish-npm-package-v1
+  with:
+    working-directory: .
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Publishes with `pnpm publish`.
+- Configures the registry auth token from `registry-url` and `jfrog-token`.
+- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks.
diff --git a/publish-npm-package/action.yml b/publish-npm-package/action.yml
new file mode 100644
index 0000000..69b8fa3
--- /dev/null
+++ b/publish-npm-package/action.yml
@@ -0,0 +1,64 @@
+name: publish-npm-package
+description: Publish a PNPM package to JFrog Artifactory.
+
+inputs:
+  working-directory:
+    description: Directory containing package.json
+    required: false
+    default: "."
+  node-version:
+    description: Node.js version
+    required: false
+    default: "24"
+  pnpm-version:
+    description: pnpm version
+    required: false
+    default: "10.33"
+  jfrog-token:
+    description: JFrog npm auth token
+    required: true
+  registry-url:
+    description: npm registry URL
+    required: false
+    default: "https://schmalz.jfrog.io/artifactory/api/npm/default-npm/"
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # actions/setup-node v4.4.0 — https://code.forgejo.org/actions/setup-node/commits/tag/v4.4.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # pnpm/action-setup v4.3.0 — https://code.forgejo.org/pnpm/action-setup/commits/tag/v4.3.0
+    - name: Install pnpm
+      uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
+      env:
+        # pnpm/action-setup bootstraps itself via npm before pnpm is available,
+        # so it must reach the public npm registry.
+        NPM_CONFIG_REGISTRY: https://registry.npmjs.org
+      with:
+        version: ${{ inputs.pnpm-version }}
+
+    - name: Configure JFrog registry authentication
+      shell: bash
+      env:
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        REGISTRY_URL: ${{ inputs.registry-url }}
+      run: |
+        set -euo pipefail
+
+        pnpm set registry "${REGISTRY_URL}"
+
+        AUTHORITY="${REGISTRY_URL#https://}"
+        AUTHORITY="${AUTHORITY#http://}"
+        AUTHORITY="${AUTHORITY%/}"
+        pnpm set "//${AUTHORITY}/:_authToken" "${JFROG_TOKEN}"
+
+    - name: Publish
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: pnpm publish
diff --git a/publish-rust-crate/README.md b/publish-rust-crate/README.md
new file mode 100644
index 0000000..69a44c2
--- /dev/null
+++ b/publish-rust-crate/README.md
@@ -0,0 +1,29 @@
+# publish-rust-crate
+
+Publish a Rust crate to JFrog Artifactory.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | No | `.` | Directory containing `Cargo.toml` |
+| `rust-version` | No | `1.95.0` | Rust toolchain version |
+| `jfrog-token` | Yes | — | JFrog token for the Artifactory Cargo registry |
+| `registry-name` | No | `artifactory` | Cargo registry name |
+| `registry-index` | No | `sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/` | Cargo registry index URL |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/publish-rust-crate@publish-rust-crate-v1
+  with:
+    working-directory: .
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Configures Cargo registry settings in `${CARGO_HOME}/config.toml` and `${CARGO_HOME}/credentials.toml`.
+- Falls back to `$HOME/.cargo` when `CARGO_HOME` is not set.
+- Publishes with `cargo publish --registry <registry-name>`.
+- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks.
diff --git a/publish-rust-crate/action.yml b/publish-rust-crate/action.yml
new file mode 100644
index 0000000..11b26b3
--- /dev/null
+++ b/publish-rust-crate/action.yml
@@ -0,0 +1,64 @@
+name: publish-rust-crate
+description: Publish a Rust crate to JFrog Artifactory.
+
+inputs:
+  working-directory:
+    description: Directory containing Cargo.toml
+    required: false
+    default: "."
+  rust-version:
+    description: Rust toolchain version
+    required: false
+    default: "1.95.0"
+  jfrog-token:
+    description: JFrog token for the Artifactory Cargo registry
+    required: true
+  registry-name:
+    description: Cargo registry name
+    required: false
+    default: artifactory
+  registry-index:
+    description: Cargo registry index URL
+    required: false
+    default: "sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/"
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # dtolnay/rust-toolchain v1 (2026-03-27) — https://github.com/dtolnay/rust-toolchain/commit/3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
+    - name: Setup Rust toolchain
+      uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
+      with:
+        toolchain: ${{ inputs.rust-version }}
+
+    - name: Configure Cargo registry (JFrog Artifactory)
+      shell: bash
+      env:
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        REGISTRY_NAME: ${{ inputs.registry-name }}
+        REGISTRY_INDEX: ${{ inputs.registry-index }}
+      run: |
+        set -euo pipefail
+
+        CARGO_HOME_DIR="${CARGO_HOME:-$HOME/.cargo}"
+        mkdir -p "${CARGO_HOME_DIR}"
+
+        cat >> "${CARGO_HOME_DIR}/config.toml" <<EOF
+        [registries.${REGISTRY_NAME}]
+        index = "${REGISTRY_INDEX}"
+        [registry]
+        global-credential-providers = ["cargo:token"]
+        EOF
+
+        cat >> "${CARGO_HOME_DIR}/credentials.toml" <<EOF
+        [registries.${REGISTRY_NAME}]
+        token = "Bearer ${JFROG_TOKEN}"
+        EOF
+
+    - name: Publish
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      env:
+        REGISTRY_NAME: ${{ inputs.registry-name }}
+      run: cargo publish --registry "${REGISTRY_NAME}"
diff --git a/terraform-apply/action.yml b/terraform-apply/action.yml
index 3776737..8d76de9 100644
--- a/terraform-apply/action.yml
+++ b/terraform-apply/action.yml
@@ -61,7 +61,7 @@ runs:
         TF_DIR: ${{ inputs.terraform-dir }}
         TF_WORKSPACE_NAME: ${{ inputs.workspace }}
       run: |
-        terraform -chdir="$TF_DIR" workspace select "$TF_WORKSPACE_NAME"
+        terraform -chdir="$TF_DIR" workspace select -or-create "$TF_WORKSPACE_NAME"
 
     - name: Terraform Apply
       shell: bash