diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 0000000000..8304d4fe28
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,90 @@
+name: "Release"
+run-name: Release ${{ inputs.tag }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      revision:
+        type: string
+        description: "commit sha1 revision where to start the release, must be the long commit sha1"
+        required: true
+      tag:
+        type: string
+        description: "the new tag/release version to create"
+        required: true
+
+env:
+  RELEASE_BRANCH: release-${{inputs.tag}}
+
+jobs:
+  prepare-version:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{inputs.revision}}
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Install semver tool
+        run: |
+          curl --fail -LO https://raw.githubusercontent.com/fsaintjacques/semver-tool/3.4.0/src/semver
+          chmod +x ./semver
+      - name: Check hotfix releases
+        env:
+          SEMVER_TAG: ${{ inputs.tag }}
+        run: |
+          echo SEMVER_TAG="$SEMVER_TAG" >> $GITHUB_ENV
+      - name: Validate input tag
+        run: ./semver validate $SEMVER_TAG
+      - name: Prevent major/minor version change
+        run: |
+          source VERSION
+          diff=$(./semver diff "$VERSION_MAJOR.$VERSION_MINOR.$VERSION_PATCH$VERSION_SUFFIX" $SEMVER_TAG)
+          if [[ "$diff" == "prerelease" ]]; then
+            echo "version match"
+            exit 0
+          fi
+
+          # prevent changes on major/minor/patch version
+          # major/minor these are done manually by creating a new dev/* branch
+          # patch is done at the end of this workflow
+          echo "version mismatch, can only upgrade patch version"
+          exit 1
+      - name: Check version is on the right branch
+        run: |
+          source VERSION
+
+          # Need to unshallow and fetch dev branches first
+          git fetch --unshallow --no-tags origin HEAD '+refs/heads/development/*:refs/remotes/origin/development/*'
+
+          GIT_REMOTE=$(git remote)
+          BASE_BRANCH=$(git branch -a --list ${GIT_REMOTE}/development/${VERSION_MAJOR}.${VERSION_MINOR})
+          if ! git merge-base --is-ancestor HEAD ${BASE_BRANCH}; then
+            echo "Version commit is not included in base branch ${BASE_BRANCH}"
+            exit 1
+          fi
+      - name: Prepare branch
+        run: git checkout -b ${{env.RELEASE_BRANCH}}
+      - name: Set the new version
+        run: |
+          if [ -z "${NEW_VERSION_SUFFIX}" ]; then
+            NEW_VERSION_SUFFIX=$(./semver get prerel ${{inputs.tag}})
+            [ -n "$NEW_VERSION_SUFFIX" ] && NEW_VERSION_SUFFIX="-$NEW_VERSION_SUFFIX"
+          fi
+          sed -i "s/VERSION_SUFFIX=.*/VERSION_SUFFIX=$NEW_VERSION_SUFFIX/" VERSION
+      - name: Commit with requested version and push
+        run: |
+          git fsck
+          git gc
+          git add VERSION
+          git config --global user.email ${{github.actor}}@scality.com
+          git config --global user.name ${{github.actor}}
+          git commit -m "Release ${{inputs.tag}}"
+          git push --set-upstream origin ${{env.RELEASE_BRANCH}}
+    outputs:
+      supported-until-date: ${{ steps.compute-supported-until-date.outputs.supported-until-date }}