diff --git a/.github/release-drafter.yml b/.github/release-drafter-config.yml
similarity index 82%
rename from .github/release-drafter.yml
rename to .github/release-drafter-config.yml
index a4c29ffc0..dc4953957 100644
--- a/.github/release-drafter.yml
+++ b/.github/release-drafter-config.yml
@@ -1,5 +1,5 @@
 ---
-name-template: 'Version $RESOLVED_VERSION'
+name-template: 'v$RESOLVED_VERSION'
 tag-template: 'v$RESOLVED_VERSION'
 change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
 template: |
@@ -9,7 +9,7 @@ template: |
 
   ---
 
-  *Full Changelog**: https://github.com/finos/git-proxy/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION
+  **Full Changelog**: https://github.com/finos/git-proxy/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION
 
 categories:
   - title: '🚀 Features'
@@ -44,10 +44,7 @@ version-resolver:
 autolabeler:
   - label: 'automation'
     title:
-      - '/^(ci|perf|refactor|test).*/i'
-  - label: 'enhancement'
-    title:
-      - '/^(style).*/i'
+      - '/^(ci|perf|refactor|test|style).*/i'
   - label: 'documentation'
     title:
       - '/^(docs).*/i'
diff --git a/.github/workflows/auto-label.yml b/.github/workflows/auto-label.yml
new file mode 100644
index 000000000..c1fcd22e2
--- /dev/null
+++ b/.github/workflows/auto-label.yml
@@ -0,0 +1,19 @@
+---
+name: Add PR Labels
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  auto_label:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: release-drafter/release-drafter/autolabeler@563bf132657a13ded0b01fcb723c5a58cdd824e2
+        with:
+          config-name: release-drafter-config.yml
diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml
index e71bc334b..4ef1f6406 100644
--- a/.github/workflows/npm.yml
+++ b/.github/workflows/npm.yml
@@ -2,6 +2,16 @@ name: Publish to NPM
 on:
   release:
     types: [published]
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        required: false
+        default: 'true'
+        type: choice
+        options:
+          - 'true'
+          - 'false'
+
 permissions:
   contents: read
   id-token: write
@@ -24,13 +34,45 @@ jobs:
       - run: npm ci
       - run: npm run build
 
-      - name: Check if pre-release and publish to NPM
+      - name: Determine dist-tag and publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry_run || 'false' }}
         run: |
+          set -euo pipefail
           VERSION=$(node -p "require('./package.json').version")
+          PKG_NAME=$(node -p "require('./package.json').name")
+          echo "Publishing $PKG_NAME@$VERSION"
+
+          # Build the publish command flags.
+          PUBLISH_FLAGS=(--access=public)
+          if [[ "$DRY_RUN" == "true" ]]; then
+            PUBLISH_FLAGS+=(--dry-run)
+            echo "DRY RUN — nothing will actually be published."
+          fi
+
+          # Pre-releases (ex: 2.1.0-rc.1) get tagged as 'rc'
           if [[ "$VERSION" == *"-"* ]]; then
-            echo "Publishing pre-release: $VERSION"
-            npm publish --access=public --tag rc
+            echo "Pre-release detected, publishing under 'rc' tag"
+            npm publish "${PUBLISH_FLAGS[@]}" --tag rc
+            exit 0
+          fi
+
+          # Look up current 'latest' on NPM. If never published before,
+          # defaults to 0.0.0 so any release (0.1.0, 1.0.0, etc.) becomes latest
+          CURRENT_LATEST=$(npm view "$PKG_NAME" version 2>/dev/null || echo "0.0.0")
+          echo "Current 'latest' on npm: $CURRENT_LATEST"
+
+          # If this version is strictly greater than the current 'latest',
+          # it becomes latest
+          if npx --yes semver "$VERSION" -r ">$CURRENT_LATEST" >/dev/null 2>&1; then
+            echo "Publishing as 'latest'"
+            npm publish "${PUBLISH_FLAGS[@]}"
           else
-            echo "Publishing stable release: $VERSION"
-            npm publish --access=public
+            # Otherwise, this is a maintenance release on an older line
+            # Tag as v<major>.<minor> so users can pin to it
+            MAJOR_MINOR=$(echo "$VERSION" | cut -d. -f1,2)
+            DIST_TAG="release-${MAJOR_MINOR}"
+            echo "Maintenance release detected, publishing under '$DIST_TAG' tag"
+            npm publish "${PUBLISH_FLAGS[@]}" --tag "$DIST_TAG"
           fi
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
new file mode 100644
index 000000000..2afb7474d
--- /dev/null
+++ b/.github/workflows/release-drafter.yml
@@ -0,0 +1,33 @@
+name: Release Drafter
+
+on:
+  push:
+    branches:
+      - 'release/**'
+
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      # Required to create/update the draft release
+      # Autolabeling runs in a separate workflow so this job only
+      # needs to read merged PRs
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: release-drafter/release-drafter@563bf132657a13ded0b01fcb723c5a58cdd824e2
+        with:
+          # Target the branch that triggered this run
+          # Ex: "release/2.1" becomes the commitish for the draft
+          commitish: ${{ github.ref_name }}
+          repository: ${{ github.repository }}
+          config-name: release-drafter-config.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}