diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
index 7b1701cc5..012acec51 100755
--- a/.buildkite/hooks/pre-command
+++ b/.buildkite/hooks/pre-command
@@ -1,9 +1,31 @@
 #!/usr/bin/env bash
-
+# this script is executed by multiple buildkite agents running on one node, so we write the pid to a file
+# if the pidfile exists we know another process is executing so we don't need to install anything
+#
+# A more robust approach would be to use a lock file, but that would require some more work
 set -eu
 pushd "$(dirname "${BASH_SOURCE[0]}")"/../..
 
 WORKDIR=$(pwd)
+PIDFILE=/var/lock/dobackup.pid
+
+remove_pidfile()
+{
+  rm -f "$PIDFILE"
+}
+
+another_instance()
+{
+  echo "There is another instance running, skipping"
+  exit 0
+}
+
+if [ -f "$PIDFILE" ]; then
+  kill -0 "$(cat $PIDFILE)" && another_instance
+fi
+trap remove_pidfile EXIT
+echo $$ > "$PIDFILE"
+
 
 echo "Installing asdf dependencies as defined in '${WORKDIR}/.tool-versions':"
 asdf install
diff --git a/.buildkite/pipeline.yaml b/.buildkite/pipeline.yaml
index a72a84250..59f71bc74 100644
--- a/.buildkite/pipeline.yaml
+++ b/.buildkite/pipeline.yaml
@@ -35,3 +35,31 @@ steps:
     label: ":lock: security - checkov"
     agents: { queue: "standard" }
     soft_fail: true
+
+  - label: "Release: test"
+    if: "build.branch =~ /^wip_/"
+    command: |
+      wget https://storage.googleapis.com/buildkite_public_assets/sg-rfc795.tar.gz
+      tar zxf sg-rfc795.tar.gz
+      chmod +x ./sg-rfc795
+
+      ./sg-rfc795 release run test --workdir=. --config-from-commit
+
+  - wait
+
+  - label: "Release: finalize"
+    if: "build.branch =~ /^wip_/"
+    command: |
+      wget https://storage.googleapis.com/buildkite_public_assets/sg-rfc795.tar.gz
+      tar zxf sg-rfc795.tar.gz
+      chmod +x ./sg-rfc795
+
+      ./sg-rfc795 release run internal finalize --workdir=. --config-from-commit
+  - label: "Promote to public: finalize"
+    if: build.message =~ /^promote_release/ && build.branch =~ /^wip_release/
+    command: |
+      wget https://storage.googleapis.com/buildkite_public_assets/sg-rfc795.tar.gz
+      tar zxf sg-rfc795.tar.gz
+      chmod +x ./sg-rfc795
+
+      ./sg-rfc795 release run promote-to-public finalize --workdir=. --config-from-commit
diff --git a/release.yaml b/release.yaml
new file mode 100644
index 000000000..1602ade71
--- /dev/null
+++ b/release.yaml
@@ -0,0 +1,129 @@
+---
+meta:
+  productName: "deploy-sourcegraph-docker"
+  owners:
+    - "@sourcegraph/release"
+  repository: "github.com/sourcegraph/deploy-sourcegraph-docker"
+inputs:
+  releaseId: server
+requirements:
+  - name: "go"
+    cmd: "which go"
+    fixInstructions: "install golang"
+  - name: "GitHub cli exists"
+    cmd: "which gh"
+    fixInstructions: "install GitHub cli"
+internal:
+  create:
+    steps:
+      patch:
+          - name: docker(compose):tags
+            cmd: |
+              set -e
+              registry=us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal
+              sg-rfc ops update-images --registry ${registry} --kind compose --pin-tag {{tag}} docker-compose/
+          - name: docker(shell):tags
+            cmd: |
+              set -e
+              registry=us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal
+              sg-rfc ops update-images --registry ${registry} --kind shell --pin-tag {{tag}} pure-docker/
+          - name: "git:branch"
+            cmd: |
+              branch="wip_{{version}}"
+              git switch -c "${branch}"
+              git commit -am 'release_patch: {{version}}' -m '{{config}}'
+              git push origin ${branch}
+          - name: "gh"
+            cmd: |
+              gh pr create -f -t "PRETEND RELEASE WIP: release_patch: build {{version}}" --body "Test plan: automated release PR, CI will perform additional checks"
+      minor:
+          - name: docker(compose):tags
+            cmd: |
+              set -e
+              registry=us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal
+              sg-rfc ops update-images --registry ${registry} --kind compose --pin-tag {{tag}} docker-compose/
+          - name: docker(shell):tags
+            cmd: |
+              set -e
+              registry=us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal
+              sg-rfc ops update-images --registry ${registry} --kind shell --pin-tag {{tag}} pure-docker/
+          - name: "git:branch"
+            cmd: |
+              branch="wip_{{version}}"
+              git switch -c "${branch}"
+              git commit -am 'release_minor: {{version}}' -m '{{config}}'
+              git push origin ${branch}
+          - name: "gh"
+            cmd: |
+              gh pr create -f -t "PRETEND RELEASE WIP: release_minor: build {{version}}" --body "Test plan: automated release PR, CI will perform additional checks"
+      major:
+          - name: docker(compose):tags
+            cmd: |
+              set -e
+              registry=us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal
+              sg-rfc ops update-images --registry ${registry} --kind compose --pin-tag {{tag}} docker-compose/
+          - name: docker(shell):tags
+            cmd: |
+              set -e
+              registry=us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-internal
+              sg-rfc ops update-images --registry ${registry} --kind shell --pin-tag {{tag}} pure-docker/
+          - name: "git:branch"
+            cmd: |
+              branch="wip_{{version}}"
+              git switch -c "${branch}"
+              git commit -am 'release_major: {{version}}' -m '{{config}}'
+              git push origin ${branch}
+          - name: "gh"
+            cmd: |
+              gh pr create -f -t "PRETEND RELEASE WIP: release_major: build {{version}}" --body "Test plan: automated release PR, CI will perform additional checks"
+  finalize:
+    steps:
+      - name: "git:finalize"
+        cmd: |
+          set -e
+          branch="wip_release-{{version}}"
+          git switch -c "${branch}"
+          echo "pushing branch ${branch}"
+          git push origin "${branch}"
+          git checkout -
+test:
+  steps:
+    - name: "foo"
+      cmd: |
+        echo "Test"
+
+promoteToPublic:
+  create:
+    steps:
+      - name: docker(compose):tags
+        cmd: |
+          set -e
+          registry=us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-public
+          sg-rfc ops update-images --registry ${registry} --kind compose --pin-tag {{tag}} docker-compose/
+      - name: docker(shell):tags
+        cmd: |
+          set -e
+          registry=us-central1-docker.pkg.dev/sourcegraph-ci/rfc795-public
+          sg-rfc ops update-images --registry ${registry} --kind shell --pin-tag {{tag}} pure-docker/
+      - name: "git:branch"
+        cmd: |
+          branch="promote-release_{{version}}"
+          git switch -c "${branch}"
+          git commit -am 'promote-release: {{version}}' -m '{{config}}'
+          git push origin "${branch}"
+      - name: "gh"
+        cmd: |
+          set -e
+          branch="wip_release-{{version}}"
+          # we need to fetch from origin just in case this branch doesn't exist locally, so that the PR can find the base
+          git fetch origin "${branch}"
+          gh pr create -f -t "PRETEND PROMOTE RELEASE - release: build {{version}}" --base "${branch}" --body "Test plan: automated release PR, CI will perform additional checks"
+  finalize:
+    steps:
+      - name: git:tag
+        cmd: |
+          set -e
+          branch="wip_release-{{version}}"
+          git checkout "${branch}"
+          git tag wip_{{version}}
+          git push origin ${branch} --tags