diff --git a/.github/workflows/pre-merge.yaml b/.github/workflows/pre-merge.yaml
index 2324266437..aaa6a4b560 100644
--- a/.github/workflows/pre-merge.yaml
+++ b/.github/workflows/pre-merge.yaml
@@ -14,7 +14,7 @@ on:
   push:
     branches:
       - "release/**"
-      - "feature/**"
+      #- "feature/**" # Run `promote` workflow instead.
       - "improvement/**"
       - "hotfix/**"
       - "bugfix/**"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 0000000000..b2932e319e
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,121 @@
+name: "Release"
+run-name: Release ${{ inputs.tag }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      revision:
+        type: string
+        description: "commit sha1 revision where to start the release, must be the long commit sha1"
+        required: true
+      tag:
+        type: string
+        description: "the new tag/release version to create"
+        required: true
+
+env:
+  RELEASE_BRANCH: feature/release-${{inputs.tag}}
+
+jobs:
+  prepare-version:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{inputs.revision}}
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Install semver tool
+        run: |
+          curl --fail -LO https://raw.githubusercontent.com/fsaintjacques/semver-tool/3.3.0/src/semver
+          chmod +x ./semver
+      - name: Check hotfix releases
+        env:
+          SEMVER_TAG: ${{ inputs.tag }}
+        run: |
+          if [[ "$SEMVER_TAG" =~ ^([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)\.([[:digit:]]+)(.*) ]]; then
+            echo "Hotfix version detected: ${BASH_REMATCH[1]}, hotfix: ${BASH_REMATCH[2]}, prerelease: ${BASH_REMATCH[3]}"
+            echo HOTFIX_VERSION="${BASH_REMATCH[2]}" >> $GITHUB_ENV
+            echo NEW_VERSION_SUFFIX=".${BASH_REMATCH[2]}${BASH_REMATCH[3]}" >> $GITHUB_ENV
+
+            # if a hotfix version is detected, we 'tweak' the tag to make it a valid semver tag
+            # This will only be usd for internal validation, the "official" tag will be the 4-digit
+            # tag that was provided
+            SEMVER_TAG="${BASH_REMATCH[1]}-hotfix.${BASH_REMATCH[2]}${BASH_REMATCH[3]}"
+          fi
+
+          echo SEMVER_TAG="$SEMVER_TAG" >> $GITHUB_ENV
+      - name: Validate input tag
+        run: ./semver validate $SEMVER_TAG
+      - name: Prevent major/minor version change
+        run: |
+          source VERSION
+          diff=$(./semver diff "$VERSION_MAJOR.$VERSION_MINOR.$VERSION_PATCH$VERSION_SUFFIX" $SEMVER_TAG)
+          if [[ "$diff" == "prerelease" ]]
+          then
+            echo "version match"
+            exit 0
+          fi
+
+          # prevent changes on major/minor/patch version
+          # major/minor these are done manually by creating a new dev/* branch
+          # patch is done at the end of this workflow
+          echo "version mismatch, can only upgrade patch version"
+          exit 1
+      - name: Check version is on the right branch
+        run: |
+          source VERSION
+
+          # Need to unshallow and fetch dev branches first
+          git fetch --unshallow --no-tags origin HEAD '+refs/heads/development/*:refs/remotes/origin/development/*'
+
+          GIT_REMOTE=$(git remote)
+          BASE_BRANCH=$(git branch -a --list ${GIT_REMOTE}/development/${VERSION_MAJOR}.${VERSION_MINOR})
+          if ! git merge-base --is-ancestor HEAD ${BASE_BRANCH}; then
+            echo "Version commit is not included in base branch ${BASE_BRANCH}"
+            exit 1
+          fi
+
+          NEXT_MAJOR=$((VERSION_MAJOR+1)).0
+          NEXT_MINOR=${VERSION_MAJOR}.$((VERSION_MINOR+1))
+          NEXT_PATCH=${VERSION_MAJOR}.${VERSION_MINOR}.$((VERSION_PATCH+1))
+          for BRANCH in $(git branch -a --list ${GIT_REMOTE}/development/{$NEXT_MAJOR,$NEXT_MINOR,$NEXT_PATCH}); do
+            if git merge-base --is-ancestor $BRANCH HEAD ; then
+              echo "Version commit includes next target branch ${BRANCH}"
+              exit 1
+            fi
+          done
+      - name: Prepare branch
+        run: git checkout -b ${{env.RELEASE_BRANCH}}
+      - name: Set the new version
+        run: |
+          if [ -z "${NEW_VERSION_SUFFIX}" ]; then
+            NEW_VERSION_SUFFIX=$(./semver get prerel ${{inputs.tag}})
+            [ -n "$NEW_VERSION_SUFFIX" ] && NEW_VERSION_SUFFIX="-$NEW_VERSION_SUFFIX"
+          fi
+          sed -i "s/VERSION_SUFFIX=.*/VERSION_SUFFIX=$NEW_VERSION_SUFFIX/" VERSION
+      - name: Commit with requested version and push
+        run: |
+          git fsck
+          git gc
+          git add VERSION
+          git config --global user.email ${{github.actor}}@scality.com
+          git config --global user.name ${{github.actor}}
+          git commit -m "Release version ${{inputs.tag}}"
+          git push --set-upstream origin ${{env.RELEASE_BRANCH}}
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}
+        with:
+          name: Release ${{ inputs.tag }}
+          tag_name: ${{ inputs.tag }}
+          generate_release_notes: true
+          target_commitish: ${{ env.RELEASE_BRANCH }}
+    outputs:
+      supported-until-date: ${{ steps.compute-supported-until-date.outputs.supported-until-date }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 828e68d8e1..e178fed737 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -98,6 +98,9 @@
 
 ### Enhancements
 
+- Add a ci workflow for release automation
+  (PR[#4479](https://github.com/scality/metalk8s/pull/4479))
+
 - Bump Kubernetes version to
   [1.28.12](https://github.com/kubernetes/kubernetes/releases/tag/v1.28.12)
   (PR[#4382](https://github.com/scality/metalk8s/pull/4382))