diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 628cf02..c5b3e7e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -7,9 +7,27 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
-  lint:
-    name: Lint (all modules)
+  lint_commit:
+    name: Lint Commit Message
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+      - run: npm install -g @commitlint/cli @commitlint/config-conventional commitlint-plugin-regex-match
+      - name: Lint PR title
+        run: |
+          PR_TITLE="${{ github.event.pull_request.title }}"
+          echo "$PR_TITLE" | npx commitlint
+
+  lint_code:
+    name: Lint Go Code
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -46,9 +64,9 @@ jobs:
           version: v2.1
           args: ./shuttle/... ./weaver/... --timeout 5m
 
-  test:
+  test_unit:
     name: Test ${{ matrix.app }}
-    needs: lint
+    needs: lint_code
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -79,9 +97,9 @@ jobs:
           name: coverage-${{ matrix.app }}
           path: coverage.out
 
-  build-and-push:
+  build_and_push:
     name: Build & Push ${{ matrix.app }}
-    needs: test
+    needs: test_unit
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -113,9 +131,30 @@ jobs:
         with:
           context: .
           file: build/${{ matrix.app }}/Dockerfile
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           tags: |
             ghcr.io/${{ github.repository_owner }}/${{ matrix.docker_name }}:${{ steps.vars.outputs.short_sha }}
-            ghcr.io/${{ github.repository_owner }}/${{ matrix.docker_name }}:latest
+            ${{ github.event_name == 'push' && format('ghcr.io/{0}/{1}:latest', github.repository_owner, matrix.docker_name) || '' }}
           cache-from: type=gha
-          cache-to: type=gha,mode=max
\ No newline at end of file
+          cache-to: type=gha,mode=max
+
+  release:
+    name: Release
+    needs:
+      - test_unit
+      - build_and_push
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+      - name: Install semantic-release & plugins
+        run: npm install -g semantic-release@20.1.0 @semantic-release/commit-analyzer @semantic-release/release-notes-generator @semantic-release/changelog @semantic-release/exec @semantic-release/git @semantic-release/github
+      - name: Run semantic-release
+        run: npx semantic-release
diff --git a/.releaserc.json b/.releaserc.json
new file mode 100644
index 0000000..256a85d
--- /dev/null
+++ b/.releaserc.json
@@ -0,0 +1,56 @@
+{
+  "branches": [
+    "main"
+  ],
+  "tagFormat": "v${version}",
+  "repositoryUrl": "https://github.com/codecflow/fabric.git",
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "angular",
+        "initialVersion": "0.1.0",
+        "releaseRules": [
+          { "type": "release", "release": "major" },
+          { "type": "feat",    "release": "minor" },
+          { "type": "fix",     "release": "patch" },
+          { "type": "perf",    "release": "patch" },
+          { "type": "refactor","release": "patch" },
+          { "type": "test",    "release": "patch" },
+          { "type": "revert",  "release": "patch" },
+          { "type": "hotfix",  "release": "patch" },
+          { "type": "bugfix",  "release": "patch" },
+          { "type": "build",   "release": false },
+          { "type": "ci",      "release": false },
+          { "type": "docs",    "release": false },
+          { "type": "content", "release": false },
+          { "type": "chore",   "release": false }
+        ]
+      }
+    ],
+    "@semantic-release/release-notes-generator",
+    "@semantic-release/changelog",
+    [
+      "@semantic-release/exec",
+      {
+        "prepareCmd": "echo \"VERSION_TAG=v${nextRelease.version}\" > release.env"
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": ["CHANGELOG.md", "release.env"],
+        "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+      }
+    ],
+    [
+      "@semantic-release/github",
+      {
+        "assets": [
+          {"path": "CHANGELOG.md", "label": "Changelog"},
+          {"path": "release.env", "label": "Release Metadata"}
+        ]
+      }
+    ]
+  ]
+}
diff --git a/commitlint.config.js b/commitlint.config.js
new file mode 100644
index 0000000..2f328b6
--- /dev/null
+++ b/commitlint.config.js
@@ -0,0 +1,33 @@
+module.exports = {
+  extends: ['@commitlint/config-conventional'],
+  rules: {
+    // only these types allowed
+    'type-enum': [
+      2, 'always',
+      [
+        'feat',
+        'fix',
+        'perf',
+        'refactor',
+        'test',
+        'revert',
+        'chore',
+        'docs',
+        'content',
+        'build',
+        'ci',
+        'hotfix',
+        'bugfix',
+        'release'
+      ]
+    ],
+    // require a scope (optional—remove if you don’t want to enforce)
+    'scope-empty': [2, 'never'],
+    // allow any subject-case
+    'subject-case': [0]
+  },
+  ignores: [
+    (message) => message.includes('Draft:')
+  ]
+
+};