diff --git a/.github/workflows/release_authenticator.yml b/.github/workflows/release_authenticator.yml
index 0dbb3f5..85cb14e 100644
--- a/.github/workflows/release_authenticator.yml
+++ b/.github/workflows/release_authenticator.yml
@@ -1,13 +1,28 @@
 name: Release Authenticator
 on:
   push:
-    branches: [ release ]
+    branches: [ main ]
 
 permissions:
   id-token: write
   contents: write
 
 jobs:
+  determine-release-type:
+    name: Determine the release type
+    runs-on: ubuntu-latest
+    outputs:
+      release-type: ${{ steps.release-type.outputs.value }}
+    steps:
+      - id: release-type
+        run: |
+          if ${{ github.event.head_commit.author.username == 'github-actions[bot]' && startsWith(github.event.head_commit.message, 'chore: Release ') }}; then
+            VALUE=stable
+          else
+            VALUE=unstable
+          fi
+          echo "value=$VALUE" >> $GITHUB_OUTPUT
+
   unit-tests:
     name: Run Unit Tests
     uses: ./.github/workflows/unit_tests.yml
@@ -16,8 +31,8 @@ jobs:
 
   release:
     environment: Release
-    name: Release new Authenticator version
-    needs: [unit-tests]
+    name: Release new Authenticator ${{ needs.determine-release-type.outputs.release-type }} version
+    needs: [determine-release-type, unit-tests]
     runs-on: macos-latest
     env:
       GITHUB_EMAIL: aws-amplify-ops@amazon.com
@@ -53,5 +68,24 @@ jobs:
           ruby-version: '3.2.1'
           bundler-cache: true
 
-      - name:  Release Authenticator
-        run: bundle exec fastlane release
\ No newline at end of file
+      - name: Release unstable version
+        if: needs.determine-release-type.outputs.release-type == 'unstable'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: bundle exec fastlane unstable_release
+
+      - name: Determine stable release version
+        id: determine-release-version
+        if: needs.determine-release-type.outputs.release-type == 'stable'
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        with:
+          result-encoding: string
+          script: |
+            const matches = `${{ github.event.head_commit.message }}`.match(/[0-9]+\.[0-9]+\.[0-9]+/) ?? []
+            return matches.length > 0 ? matches[0] : ""
+
+      - name:  Release stable version
+        if: steps.determine-release-version.outputs.result != ''
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: bundle exec fastlane stable_release version:${{ steps.determine-release-version.outputs.result }}
\ No newline at end of file
diff --git a/.github/workflows/release_kickoff.yml b/.github/workflows/release_kickoff.yml
index 908a0ee..9b4bb7f 100644
--- a/.github/workflows/release_kickoff.yml
+++ b/.github/workflows/release_kickoff.yml
@@ -3,16 +3,49 @@ on:
   workflow_dispatch:
 
 permissions:
+  id-token: write
   pull-requests: write
 
 jobs:
   release:
-    name: Release
-    runs-on: ubuntu-latest
-
+    environment: Release
+    name: Kick off new Authenticator release
+    runs-on: macos-latest
+    env:
+      GITHUB_EMAIL: aws-amplify-ops@amazon.com
+      GITHUB_USER: aws-amplify-ops
     steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
-      - name: Create PR to push main to release branch
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: ${{ format('{0}.release', github.run_id) }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          mask-aws-account-id: true
+
+      - id: retrieve-token
+        name: Retrieve Token
+        env:
+          DEPLOY_SECRET_ARN: ${{ secrets.DEPLOY_SECRET_ARN }}
+        run: |
+          PAT=$(aws secretsmanager get-secret-value \
+          --secret-id "$DEPLOY_SECRET_ARN" \
+          | jq -r ".SecretString | fromjson | .Credential")
+          echo "token=$PAT" >> $GITHUB_OUTPUT
+
+      - name: Checkout repo
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          fetch-depth: 10
+          token: ${{steps.retrieve-token.outputs.token}}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 # v1.171.0
+        with:
+          ruby-version: '3.2.1'
+          bundler-cache: true
+
+      - name:  Kick off Authenticator release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: "gh pr create --title 'chore: kickoff release' --body 'kickoff release' --head main --base release"
\ No newline at end of file
+          GH_TOKEN: ${{ github.token }}
+        run: bundle exec fastlane kickoff_release
\ No newline at end of file
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
index 8130dfc..f058242 100644
--- a/fastlane/Fastfile
+++ b/fastlane/Fastfile
@@ -9,12 +9,11 @@ platform :swift do
     sh('git', 'fetch')
   end
 
-  desc "Create a release version by building and committing a changelog, pushing a tag to GitHub"
-  lane :release do
+  desc "Kickoff the next release by updating the changelog, updating the component version, and creating a PR to main"
+  lane :kickoff_release do
     next_version, commits = calculate_next_release_version
 
-    UI.message("Releasing version: #{next_version}")
-
+    UI.message("Kicking off new release for version: #{next_version}")
     # Increment all specs and plists
     increment_versions(version: next_version)
 
@@ -25,11 +24,16 @@ platform :swift do
     # Update Package dependencies
     sh('bundle', 'exec', 'swift', 'package', 'update')
 
+    # Create and push the new branch
+    release_branch = "release/#{next_version}"
+    sh('git', 'checkout', '-b', release_branch)
+    sh('git', 'push', '--set-upstream', 'origin', release_branch)
+
     # Commit and push
-    release_commit(version: next_version)
+    pr_title = release_commit(version: next_version).to_s
 
-    # Create tag and push to origin
-    add_tag(version: next_version)
+    # Open the PR to main
+    sh('gh', 'pr', 'create', '--title', pr_title, '--body', 'Kicking off new release', '--base', 'main', '--head', release_branch)
   end
 
   desc "Increment versions"
@@ -45,18 +49,41 @@ platform :swift do
     sh('git', 'config', '--global', 'user.email', ENV['GITHUB_EMAIL'])
     sh('git', 'config', '--global', 'user.name', ENV['GITHUB_USER'])
 
-    commit_message = "chore: Release #{next_version} [skip ci]"
+    commit_message = "chore: Release #{next_version}"
     sh('git', 'commit', '-am', commit_message)
+    sh('git', 'push')
+    commit_message
+  end
+
+  desc "Create a pre-release version by pushing a new tag to GitHub"
+  lane :unstable_release do
+    next_version = calculate_next_canary_version
+
+    UI.message("Releasing Authenticator unstable version: #{next_version}")
+
+    # Create tag and push to origin
+    add_tag(version: next_version)
+  end
+
+  desc "Create a release version by pushing a new tag to GitHub and creating a new draft release"
+  lane :stable_release do |options|
+    next_version = options[:version]
+
+    UI.message("Releasing Authenticator version: #{next_version}")
 
-    # push to origin
-    sh('git', 'push', 'origin', 'release')
-    sh('git', 'push', 'origin', 'release:main')
+    # Create and push the new tag
+    add_tag(version: next_version)
+
+    # Create draft release   
+    release_date = sh("echo $(date +%F)")
+    release_title = "#{next_version} (#{release_date})"
+    sh('gh', 'release', 'create', next_version, '--draft', '--title', release_title)
   end
 
+
   desc "Tag in git and push to GitHub"
   private_lane :add_tag do |options|
-    next_version = options[:version]
-    next_tag = "#{next_version}"
+    next_tag = options[:version].to_s
 
     add_git_tag(tag: next_tag)
     push_git_tags(tag: next_tag)