diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 01e72a92fc..472bc4e0db 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,6 @@ jobs:
         with:
           cache: 'npm'
           node-version-file: '.nvmrc'
-      - uses: wagoid/commitlint-github-action@9763196e10f27aef304c9b8b660d31d97fce0f99 # v5
       - name: Debug info
         run: |
           cat <<EOF
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
new file mode 100644
index 0000000000..4a615c8723
--- /dev/null
+++ b/.github/workflows/commitlint.yml
@@ -0,0 +1,9 @@
+name: Lint commit messages
+on: [pull_request]
+
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: wagoid/commitlint-github-action@5ce82f5d814d4010519d15f0552aec4f17a1e1fe # v5
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c4f9ff2533..c6eb3a888f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,14 +8,42 @@ jobs:
   ci:
     uses: ./.github/workflows/ci.yml
   cd:
+    needs:
+      - ci
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
-        with:
-          cache: 'npm'
-          node-version-file: '.nvmrc'
-          registry-url: 'https://registry.npmjs.org'
+      - name: Debug info
+        run: |
+          cat <<EOF
+          Release tag name: ${{ github.event.release.tag_name }}
+          Release target commit-ish: ${{ github.event.release.target_commitish }}
+          EOF
+
+      - name: Determine NPM tag
+        id: npm_tag
+        shell: bash
+        run: |
+          case ${{ github.event.release.target_commitish }} in
+            develop | main | master)
+              if [[ ${{ github.event.release.prerelease }} == true ]]; then
+                npm_tag=beta
+              else
+                npm_tag=latest
+              fi
+              ;;
+            *)
+              # use the branch name
+              npm_tag="${{ github.event.release.target_commitish }}"
+              ;;
+          esac
+          echo "Determined NPM tag: [$npm_tag]"
+          echo "npm_tag=${npm_tag}" >> "$GITHUB_OUTPUT"
+      - name: Check NPM tag
+        run: |
+          if [ -z "${{ steps.npm_tag.outputs.npm_tag }}" ]; then
+            echo "Refusing to publish with empty NPM tag."
+            exit 1
+          fi
 
       - name: Config GitHub user
         shell: bash
@@ -23,6 +51,16 @@ jobs:
           git config --global user.name 'GitHub Actions'
           git config --global user.email 'github-actions@localhost'
 
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          token: ${{ secrets.PAT_RELEASE_PUSH }} # persists the token for pushing to the repo later
+
+      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        with:
+          cache: 'npm'
+          node-version-file: '.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+
       - uses: ./.github/actions/install-dependencies
 
       - name: Update the version in the package files
@@ -32,28 +70,28 @@ jobs:
           NEW_VERSION="${GIT_TAG/v/}"
 
           npm version "$NEW_VERSION" --no-git-tag-version
-          git add package* && git commit -m "Release $NEW_VERSION"
+          git add package* && git commit -m "chore(release): $NEW_VERSION [skip ci]"
 
       - name: Build packages
         run: npm run build
 
       - name: Publish scratch-svg-renderer
-        run: npm publish --access=public --workspace=@scratch/scratch-svg-renderer
+        run: npm publish --access=public --tag="${{steps.npm_tag.outputs.npm_tag}}" --workspace=@scratch/scratch-svg-renderer
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
 
       - name: Publish scratch-render
-        run: npm publish --access=public --workspace=@scratch/scratch-render
+        run: npm publish --access=public --tag="${{steps.npm_tag.outputs.npm_tag}}" --workspace=@scratch/scratch-render
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
 
       - name: Publish scratch-vm
-        run: npm publish --access=public --workspace=@scratch/scratch-vm
+        run: npm publish --access=public --tag="${{steps.npm_tag.outputs.npm_tag}}" --workspace=@scratch/scratch-vm
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
 
       - name: Publish scratch-gui
-        run: npm publish --access=public --workspace=@scratch/scratch-gui
+        run: npm publish --access=public --tag="${{steps.npm_tag.outputs.npm_tag}}" --workspace=@scratch/scratch-gui
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
 
@@ -110,5 +148,3 @@ jobs:
           publish_dir: ./packages/scratch-gui/build
           destination_dir: scratch-gui
           full_commit_message: "Build for ${{ github.sha }} ${{ github.event.head_commit.message }}"
-    needs:
-      - ci