diff --git a/README.md b/README.md
index f6d6a44d..977a4bb6 100644
--- a/README.md
+++ b/README.md
@@ -69,9 +69,8 @@ jobs:
       uses: actions/setup-java@v1
       with:
         java-version: 1.8
-        server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
-        username: ${{ github.actor }} # username for server authentication
-        password: ${{ github.token }} # password or token for authentication
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
 
     - name: Build with Maven
       run: mvn -B package --file pom.xml
@@ -83,9 +82,12 @@ jobs:
       uses: actions/setup-java@v1
       with: # running setup-java again overwrites the settings.xml
         java-version: 1.8
-        server-id: maven
-        server-username: maven_username
-        server-password: ${{ secrets.MAVEN_CENTRAL_TOKEN }} # password from secrets store
+        server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
+        server-username: MAVEN_USERNAME # env variable for username below
+        server-password: MAVEN_CENTRAL_TOKEN # env variable for token below
+      env:
+        MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
+        MAVEN_USERNAME: maven_username123
 
     - name: Publish to Apache Maven Central
       run: mvn deploy 
@@ -139,9 +141,9 @@ jobs:
       with:
         java-version: 1.8
         server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
-        server-username: ${{ github.actor }} # username for server authentication
-        server-password: ${{ github.token }} # password or token for authentication
         settings-path: ${{ github.workspace }} # location for the settings.xml file
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
 
     - name: Build with Maven
       run: mvn -B package --file pom.xml
diff --git a/__tests__/auth.test.ts b/__tests__/auth.test.ts
index 1d5cee92..5a31e277 100644
--- a/__tests__/auth.test.ts
+++ b/__tests__/auth.test.ts
@@ -30,8 +30,8 @@ describe('auth tests', () => {
 
   it('creates settings.xml in alternate locations', async () => {
     const id = 'packages';
-    const username = 'bluebottle';
-    const password = 'SingleOrigin';
+    const username = 'UNAMI';
+    const password = 'TOLKIEN';
 
     const altHome = path.join(__dirname, 'runner', 'settings');
     const altSettingsFile = path.join(altHome, auth.SETTINGS_FILE);
@@ -55,8 +55,8 @@ describe('auth tests', () => {
 
   it('creates settings.xml with username and password', async () => {
     const id = 'packages';
-    const username = 'bluebottle';
-    const password = 'SingleOrigin';
+    const username = 'UNAME';
+    const password = 'TOKEN';
 
     await auth.configAuthentication(id, username, password);
 
@@ -69,8 +69,8 @@ describe('auth tests', () => {
 
   it('overwrites existing settings.xml files', async () => {
     const id = 'packages';
-    const username = 'bluebottle';
-    const password = 'SingleOrigin';
+    const username = 'USERNAME';
+    const password = 'PASSWORD';
 
     fs.mkdirSync(m2Dir, {recursive: true});
     fs.writeFileSync(settingsFile, 'FAKE FILE');
@@ -87,30 +87,42 @@ describe('auth tests', () => {
   }, 100000);
 
   it('does not create settings.xml without required parameters', async () => {
-    await auth.configAuthentication('FOO', '', '');
+    await auth.configAuthentication('FOO');
 
-    expect(fs.existsSync(m2Dir)).toBe(false);
-    expect(fs.existsSync(settingsFile)).toBe(false);
+    expect(fs.existsSync(m2Dir)).toBe(true);
+    expect(fs.existsSync(settingsFile)).toBe(true);
+    expect(fs.readFileSync(settingsFile, 'utf-8')).toEqual(
+      auth.generate('FOO')
+    );
 
-    await auth.configAuthentication('', 'BAR', '');
+    await auth.configAuthentication(undefined, 'BAR', undefined);
 
-    expect(fs.existsSync(m2Dir)).toBe(false);
-    expect(fs.existsSync(settingsFile)).toBe(false);
+    expect(fs.existsSync(m2Dir)).toBe(true);
+    expect(fs.existsSync(settingsFile)).toBe(true);
+    expect(fs.readFileSync(settingsFile, 'utf-8')).toEqual(
+      auth.generate(undefined, 'BAR', undefined)
+    );
 
-    await auth.configAuthentication('', '', 'BAZ');
+    await auth.configAuthentication(undefined, undefined, 'BAZ');
 
-    expect(fs.existsSync(m2Dir)).toBe(false);
-    expect(fs.existsSync(settingsFile)).toBe(false);
+    expect(fs.existsSync(m2Dir)).toBe(true);
+    expect(fs.existsSync(settingsFile)).toBe(true);
+    expect(fs.readFileSync(settingsFile, 'utf-8')).toEqual(
+      auth.generate(undefined, undefined, 'BAZ')
+    );
 
-    await auth.configAuthentication('', '', '');
+    await auth.configAuthentication();
 
-    expect(fs.existsSync(m2Dir)).toBe(false);
-    expect(fs.existsSync(settingsFile)).toBe(false);
+    expect(fs.existsSync(m2Dir)).toBe(true);
+    expect(fs.existsSync(settingsFile)).toBe(true);
+    expect(fs.readFileSync(settingsFile, 'utf-8')).toEqual(
+      auth.generate(undefined, undefined, undefined)
+    );
   }, 100000);
 
   it('escapes invalid XML inputs', () => {
     const id = 'packages';
-    const username = 'bluebottle';
+    const username = 'USER';
     const password = '&<>"\'\'"><&';
 
     expect(auth.generate(id, username, password)).toEqual(`
@@ -118,8 +130,8 @@ describe('auth tests', () => {
       
         
           ${id}
-          ${username}
-          &<>"''"><&
+          \${env.${username}}
+          \${env.&<>"''"><&}
         
       
   
diff --git a/action.yml b/action.yml
index df1a2c15..d310ebdb 100644
--- a/action.yml
+++ b/action.yml
@@ -24,11 +24,12 @@ inputs:
        file.'
     required: false
   server-username:
-    description: 'Username for authentication to the Apache Maven repository.'
+    description: 'Environment variable name for the username for authentication
+       to the Apache Maven repository.'
     required: false
   server-password:
-    description: 'Password or token for authentication to the Apache Maven
-       repository.'
+    description: 'Environment variable name for password or token for
+       authentication to the Apache Maven repository.'
     required: false
   settings-path:
     description: 'Path to where the settings.xml file will be written. Default is ~/.m2.'
diff --git a/dist/index.js b/dist/index.js
index e9e7cc34..be71c59d 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -2848,20 +2848,18 @@ const core = __importStar(__webpack_require__(470));
 const io = __importStar(__webpack_require__(1));
 exports.M2_DIR = '.m2';
 exports.SETTINGS_FILE = 'settings.xml';
-function configAuthentication(id, username, password) {
+exports.DEFAULT_ID = 'github';
+exports.DEFAULT_USERNAME = 'GITHUB_ACTOR';
+exports.DEFAULT_PASSWORD = 'GITHUB_TOKEN';
+function configAuthentication(id = exports.DEFAULT_ID, username = exports.DEFAULT_USERNAME, password = exports.DEFAULT_PASSWORD) {
     return __awaiter(this, void 0, void 0, function* () {
-        if (id && username && password) {
-            console.log(`creating ${exports.SETTINGS_FILE} with server-id: ${id}, username: ${username}, and a password`);
-            // when an alternate m2 location is specified use only that location (no .m2 directory)
-            // otherwise use the home/.m2/ path
-            const directory = path.join(core.getInput('settings-path') || os.homedir(), core.getInput('settings-path') ? '' : exports.M2_DIR);
-            yield io.mkdirP(directory);
-            core.debug(`created directory ${directory}`);
-            yield write(directory, generate(id, username, password));
-        }
-        else {
-            core.debug(`no ${exports.SETTINGS_FILE} without server-id: ${id}, username: ${username}, and a password`);
-        }
+        console.log(`creating ${exports.SETTINGS_FILE} with server-id: ${id};`, `environment variables: username=\$${username} and password=\$${password}`);
+        // when an alternate m2 location is specified use only that location (no .m2 directory)
+        // otherwise use the home/.m2/ path
+        const directory = path.join(core.getInput('settings-path') || os.homedir(), core.getInput('settings-path') ? '' : exports.M2_DIR);
+        yield io.mkdirP(directory);
+        core.debug(`created directory ${directory}`);
+        yield write(directory, generate(id, username, password));
     });
 }
 exports.configAuthentication = configAuthentication;
@@ -2874,14 +2872,14 @@ function escapeXML(value) {
         .replace(/'/g, ''');
 }
 // only exported for testing purposes
-function generate(id, username, password) {
+function generate(id = exports.DEFAULT_ID, username = exports.DEFAULT_USERNAME, password = exports.DEFAULT_PASSWORD) {
     return `
   
       
         
           ${escapeXML(id)}
-          ${escapeXML(username)}
-          ${escapeXML(password)}
+          \${env.${escapeXML(username)}}
+          \${env.${escapeXML(password)}}
         
       
   
@@ -3883,12 +3881,7 @@ function run() {
             const id = core.getInput('server-id', { required: false });
             const username = core.getInput('server-username', { required: false });
             const password = core.getInput('server-password', { required: false });
-            if (id && username && password) {
-                yield auth.configAuthentication(id, username, password);
-            }
-            else if (id || username || password) {
-                console.warn('All 3 server-(id, username, and password) are required.');
-            }
+            yield auth.configAuthentication(id, username, password);
         }
         catch (error) {
             core.setFailed(error.message);
diff --git a/src/auth.ts b/src/auth.ts
index 0e95ed00..2e7c6e8e 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -7,29 +7,28 @@ import * as io from '@actions/io';
 export const M2_DIR = '.m2';
 export const SETTINGS_FILE = 'settings.xml';
 
+export const DEFAULT_ID = 'github';
+export const DEFAULT_USERNAME = 'GITHUB_ACTOR';
+export const DEFAULT_PASSWORD = 'GITHUB_TOKEN';
+
 export async function configAuthentication(
-  id: string,
-  username: string,
-  password: string
+  id = DEFAULT_ID,
+  username = DEFAULT_USERNAME,
+  password = DEFAULT_PASSWORD
 ) {
-  if (id && username && password) {
-    console.log(
-      `creating ${SETTINGS_FILE} with server-id: ${id}, username: ${username}, and a password`
-    );
-    // when an alternate m2 location is specified use only that location (no .m2 directory)
-    // otherwise use the home/.m2/ path
-    const directory: string = path.join(
-      core.getInput('settings-path') || os.homedir(),
-      core.getInput('settings-path') ? '' : M2_DIR
-    );
-    await io.mkdirP(directory);
-    core.debug(`created directory ${directory}`);
-    await write(directory, generate(id, username, password));
-  } else {
-    core.debug(
-      `no ${SETTINGS_FILE} without server-id: ${id}, username: ${username}, and a password`
-    );
-  }
+  console.log(
+    `creating ${SETTINGS_FILE} with server-id: ${id};`,
+    `environment variables: username=\$${username} and password=\$${password}`
+  );
+  // when an alternate m2 location is specified use only that location (no .m2 directory)
+  // otherwise use the home/.m2/ path
+  const directory: string = path.join(
+    core.getInput('settings-path') || os.homedir(),
+    core.getInput('settings-path') ? '' : M2_DIR
+  );
+  await io.mkdirP(directory);
+  core.debug(`created directory ${directory}`);
+  await write(directory, generate(id, username, password));
 }
 
 function escapeXML(value: string) {
@@ -42,14 +41,18 @@ function escapeXML(value: string) {
 }
 
 // only exported for testing purposes
-export function generate(id: string, username: string, password: string) {
+export function generate(
+  id = DEFAULT_ID,
+  username = DEFAULT_USERNAME,
+  password = DEFAULT_PASSWORD
+) {
   return `
   
       
         
           ${escapeXML(id)}
-          ${escapeXML(username)}
-          ${escapeXML(password)}
+          \${env.${escapeXML(username)}}
+          \${env.${escapeXML(password)}}
         
       
   
diff --git a/src/setup-java.ts b/src/setup-java.ts
index 9300eef5..a50ff550 100644
--- a/src/setup-java.ts
+++ b/src/setup-java.ts
@@ -22,11 +22,7 @@ async function run() {
     const username = core.getInput('server-username', {required: false});
     const password = core.getInput('server-password', {required: false});
 
-    if (id && username && password) {
-      await auth.configAuthentication(id, username, password);
-    } else if (id || username || password) {
-      console.warn('All 3 server-(id, username, and password) are required.');
-    }
+    await auth.configAuthentication(id, username, password);
   } catch (error) {
     core.setFailed(error.message);
   }