diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index c130033..8c3f55f 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -5,55 +5,110 @@ on:
       - 3-22.04
 
 jobs:
+
+  release_checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Extract branch metadata
+        shell: bash
+        run: |
+          BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
+          echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
+          # echo "risk=${BRANCH##*\/}" >> $GITHUB_OUTPUT
+          echo "risk=edge" >> $GITHUB_OUTPUT
+          echo "track=${BRANCH%*\/*}" >> $GITHUB_OUTPUT
+        id: branch_metadata
+
+      - name: Extract ROCK metadata
+        shell: bash
+        run: |
+          VERSION=$(yq '(.version|split("-"))[0]' rockcraft.yaml)
+          BASE=$(yq '(.base|split("@"))[1]' rockcraft.yaml)
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "base=${BASE}" >> $GITHUB_OUTPUT
+        id: rock_metadata
+
+      - name: Check consistency between metadata and release branch
+        run: |
+          MAJOR_VERSION=$(echo ${{ steps.rock_metadata.outputs.version }} | sed -n "s/\(^[0-9]*\).*/\1/p")
+          BASE=${{ steps.rock_metadata.outputs.base }}
+          if [ "${MAJOR_VERSION}-${BASE}" != "${{ steps.branch_metadata.outputs.track }}" ]; then exit 1; fi
+        continue-on-error: false
+
+    outputs:
+      branch: ${{ steps.branch_metadata.outputs.branch }}
+      track: ${{ steps.branch_metadata.outputs.track }}
+      risk: ${{ steps.branch_metadata.outputs.risk }}
+      base: ${{ steps.rock_metadata.outputs.base }}
+      version: ${{ steps.rock_metadata.outputs.version }}
+
   build:
     uses: ./.github/workflows/build.yaml
+
   publish:
-    needs: build
+    needs: [build, release_checks]
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 15
     permissions:
       packages: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      - name: Setup Docker
-        run: |
-          sudo snap install docker
-          sudo addgroup --system docker; sudo adduser $USER docker
-          newgrp docker
-          sudo snap disable docker; sudo snap enable docker
+
       - name: Install skopeo
         run: |
           sudo snap install --devmode --channel edge skopeo
+
       - name: Install yq
         run: |
           sudo snap install yq
+
       - uses: actions/download-artifact@v3
         with:
           name: charmed-zookeeper
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ secrets.GHCR_USER }}
           password: ${{ secrets.GHCR_TOKEN }}
+
       - name: Import and push to GHCR
         run: |
-          version=$(yq '(.version|split("-"))[0]' rockcraft.yaml)
-          base=$(yq '(.base|split("@"))[1]' rockcraft.yaml)
-          risk=edge
-          tag=${version}-${base}_${risk}
-          channel=$(echo ${{ github.ref_name }} | cut -d "-" -f 1)
+      
+          REPOSITORY="ghcr.io/canonical/"
+          RISK=${{ needs.release_checks.outputs.risk }}
+          TRACK=${{ needs.release_checks.outputs.track }}
+          if [ ! -z "$RISK" ] && [ "${RISK}" != "no-risk" ]; then TAG=${TRACK}_${RISK}; else TAG=${TRACK}; fi
+      
+          IMAGE_NAME="${REPOSITORY}charmed-zookeeper"
 
           ROCK_FILE=${{ needs.build.outputs.rock }}
 
           sudo skopeo --insecure-policy copy \
-            oci-archive:$ROCK_FILE \
-            docker-daemon:ghcr.io/canonical/charmed-zookeeper:${tag}
+            oci-archive:${ROCK_FILE} \
+            docker-daemon:${IMAGE_NAME}:${TAG}
 
-          docker tag \
-            ghcr.io/canonical/charmed-zookeeper:${tag} \
-            ghcr.io/canonical/charmed-zookeeper:${channel}_${risk}
+          COMMIT_ID=$(git log -1 --format=%H)
+          
+          # Add relevant labels
+          echo "FROM ${IMAGE_NAME}:${TAG}" | docker build --label org.opencontainers.image.revision="${COMMIT_ID}" --label org.opencontainers.image.source="${{ github.repositoryUrl }}" -t "${IMAGE_NAME}:${TAG}" -
 
-          docker push ghcr.io/canonical/charmed-zookeeper:${tag}
-          docker push ghcr.io/canonical/charmed-zookeeper:${channel}_${risk}
+          echo "Publishing ${IMAGE_NAME}:${TAG}"          
+          docker push ${IMAGE_NAME}:${TAG}
+          
+          if [[ "$RISK" == "edge" ]]; then           
+            VERSION_TAG="${{ needs.release_checks.outputs.version }}-${{ needs.release_checks.outputs.base }}_edge"
+            
+            docker tag ${IMAGE_NAME}:${TAG} ${IMAGE_NAME}:${VERSION_TAG}
+            
+            echo "Publishing ${IMAGE_NAME}:${VERSION_TAG}"          
+            docker push ${IMAGE_NAME}:${VERSION_TAG}
+          fi
+          
+          
+          
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index b63b67e..10777e1 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -17,9 +17,6 @@ jobs:
       - name: Install skopeo
         run: |
           sudo snap install --devmode --channel edge skopeo
-      - name: Install yq
-        run: |
-          sudo snap install yq
       - uses: actions/download-artifact@v3
         with:
           name: charmed-zookeeper