diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2dc50183..296cd29e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -104,7 +104,7 @@ jobs:
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
           git tag -a "${tag}" -m "${message}"
-          git push origin "${tag}"
+          # tag stays local — pushed at the end of the job, after the release is fully built
       - name: Build GoReleaser Args
         run: |
           args='release --clean --debug --timeout 90m'
@@ -141,6 +141,36 @@ jobs:
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          shopt -s failglob
+
+          common=(
+            "${{ inputs.tag }}"
+            dist/*.tar.gz dist/*.zip dist/*checksums*
+            --target "${{ github.sha }}"
+            --title  "Checkmarx One CLI ${{ inputs.tag }}"
+            --generate-notes
+            --draft
+          )
+
+          if [ "${{ inputs.dev }}" = "true" ]; then
+            gh release create "${common[@]}" --prerelease
+            gh release edit   "${{ inputs.tag }}" --draft=false
+          else
+            gh release create "${common[@]}"
+            gh release edit   "${{ inputs.tag }}" --draft=false --latest
+          fi
+
+      - name: Cleanup draft release on failure
+        if: failure()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release delete "${{ inputs.tag }}" --cleanup-tag --yes || true
+
   notify:
     name: Update Teams & JIRA About New Release
     if: inputs.dev == false && 1 == 0
@@ -163,3 +193,4 @@ jobs:
     with:
       cli_version: ${{ inputs.tag }}
     secrets: inherit
+ 
\ No newline at end of file
diff --git a/.goreleaser-dev.yml b/.goreleaser-dev.yml
index 852d15fc..706adb02 100644
--- a/.goreleaser-dev.yml
+++ b/.goreleaser-dev.yml
@@ -3,6 +3,7 @@ project_name: ast-cli
 release:
   prerelease: true
   name_template: 'Checkmarx One CLI {{.Version}}'
+  disable: true
 
 builds:
   - main: ./cmd/main.go
@@ -83,7 +84,7 @@ universal_binaries:
     replace: true
     name_template: "cx"
     hooks:
-      post: bash -c 'envsubst < gonMac.hcl > /tmp/gonMac.hcl && gon /tmp/gonMac.hcl'
+      post: bash -c 'envsubst < gonMac.hcl > /tmp/gonMac.hcl && gon /tmp/gonMac.hcl || (echo "gon failed, force-detaching DMG volume..."; hdiutil detach /Volumes/cx -force 2>/dev/null || true; gon /tmp/gonMac.hcl)'
 
 blobs:
   - provider: s3
@@ -96,3 +97,4 @@ blobs:
 
 changelog:
   use: github-native
+ 
\ No newline at end of file
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 5dd7977e..b1595d6f 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -2,6 +2,7 @@ project_name: ast-cli
 
 release:
   name_template: 'Checkmarx One CLI {{.Version}}'
+  disable: true
 
 builds:
   - main: ./cmd/main.go
@@ -108,7 +109,7 @@ universal_binaries:
     replace: true
     name_template: "cx"
     hooks:
-      post: bash -c 'envsubst < gonMac.hcl > /tmp/gonMac.hcl && gon /tmp/gonMac.hcl'
+      post: bash -c 'envsubst < gonMac.hcl > /tmp/gonMac.hcl && gon /tmp/gonMac.hcl || (echo "gon failed, force-detaching DMG volume..."; hdiutil detach /Volumes/cx -force 2>/dev/null || true; gon /tmp/gonMac.hcl)'
 
 # brews:
 #   - skip: true
@@ -155,3 +156,4 @@ blobs:
 
 changelog:
   use: github-native
+ 
\ No newline at end of file