diff --git a/.github/workflows/on-commits.yml b/.github/workflows/create-final-bosh-release-on-commits.yml
similarity index 65%
rename from .github/workflows/on-commits.yml
rename to .github/workflows/create-final-bosh-release-on-commits.yml
index df0c776d..c24415f0 100644
--- a/.github/workflows/on-commits.yml
+++ b/.github/workflows/create-final-bosh-release-on-commits.yml
@@ -1,13 +1,21 @@
-name: vendor-add-blob-create-dev-release
+name: create-final-bosh-release
 
+permissions:
+  contents: write # allow git push to repo and the github release and its artefact
 on:
   push:
     branches:
       - master
-      - release-*
       # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
       # *: Matches zero or more characters, but does not match the / character. For example, Octo* matches Octocat.
       # **: Matches zero or more of any character.
+    paths: # only trigger on bosh-relevant changes
+      - .final_builds/**
+      - config/**
+      - jobs/**
+      - releases/**
+      - vendir.yml
+      - .github/workflows/create-final-bosh-release-on-commits.yml
 
 jobs:
   build:
@@ -61,11 +69,13 @@ jobs:
           #pwd
           #find .
           # configure git
-          git config --global user.name "actions/k3s-boshrelease"
+          git config --global user.name "workflows/nerdctl-package/create-final-bosh-release"
           git config --global user.email "<>"
           git config --global --add safe.directory /github/workspace
           export VENDIR_GITHUB_API_TOKEN="${GITHUB_TOKEN}"
           ./vendor.sh
+          echo "State after vendir:"
+          tree -s src
           git add vendir.lock
           # FIXME: optimize for idempotency 
           ./addblob.sh
@@ -79,36 +89,42 @@ jobs:
           else
             echo "Nothing to commit"
           fi
+          echo "Resulting State:" 
           tree -s src
           if [ -d blobs ];then # The blobs dir is only present when a blob is modified or has not yet been published.
             tree -s blobs
           fi
-      
-
-      # TODO: optimize to only create a dev release if the blobs.yaml file has some changes
-      # Possibly by setting an env var and checking it into next step
-      # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable
-      # and if clause https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif
-      - name: create bosh dev release
+      - name: Extract nerdctl version
+        id: extract_version
+        uses: orange-cloudfoundry/extract-vendir-version-action@v0.1.0
+        with:
+          library: "containerd/nerdctl"
+      - name: create bosh final release
         id: create-bosh-release
-        uses: orange-cloudfoundry/bosh-release-action@v2 # will create dev release when pushed git ref is not a tag
+        uses: orange-cloudfoundry/create-bosh-release-action@v1.0.1
         with:
           target_branch: ${{github.ref_name}}
+          tag_name: ${{ steps.extract_version.outputs.version }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AWS_BOSH_ACCES_KEY_ID: ${{ secrets.AWS_BOSH_ACCES_KEY_ID }}
           AWS_BOSH_SECRET_ACCES_KEY: ${{ secrets.AWS_BOSH_SECRET_ACCES_KEY }}
 
-      # See https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts
-      # This creates a zip file containing the k3s-master.tgz file
-
-      # See https://github.com/actions/upload-artifact#zipped-artifact-downloads
-      # > There is currently no way to download artifacts after a workflow run finishes in a format other than a zip or
-      # > to download artifact contents individually. One of the consequences of this limitation is that if a zip is
-      # > uploaded during a workflow run and then downloaded from the UI, there will be a double zip created.
-      - name: Archive bosh dev release tgz
-        uses: actions/upload-artifact@v3
+      # see https://github.com/ncipollo/release-action
+      - name: create github release
+        id: create-github-release
+        if: ${{ steps.create-bosh-release.outputs.need_gh_release == 'true' }}
+        uses: ncipollo/release-action@v1.13.0
         with:
-          name: archive-bosh-dev-release-tgz
-          path: |
-            k3s-*.tgz
+          tag: ${{ steps.create-bosh-release.outputs.tagged_version }}
+          draft: false
+          allowUpdates: true # > indicates if we should update a release if it already exists.
+          omitDraftDuringUpdate: true # > Indicates if the draft flag should be omitted during updates. The draft flag will still be applied for newly created releases. This will preserve the existing draft state during updates.
+          generateReleaseNotes: true
+          artifacts: ./${{ steps.create-bosh-release.outputs.file }}
+          artifactContentType: application/zip
+          removeArtifacts: true
+          artifactErrorsFailBuild: true
+
+
+
diff --git a/.github/workflows/on-tags.yml b/.github/workflows/on-tags.yml
deleted file mode 100644
index 15f85386..00000000
--- a/.github/workflows/on-tags.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-name: build-and-release
-
-on:
-  push:
-    # not consider simple commit
-    branches:
-      - '!*'
-    # consider only release and pre-release tags
-    tags:
-      - '[0-9]+.[0-9]+' # tag format currently used by k3s-bosh-release: e.g. 124.12
-      - '[0-9]+.[0-9]+.[0-9]+'
-      - '[0-9]+.[0-9]+.[0-9]+-rc[0-9]+'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: create bosh release
-        id: create-bosh-release
-        uses: orange-cloudfoundry/bosh-release-action@v2
-        if: success() && startsWith(github.ref, 'refs/tags/')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AWS_BOSH_ACCES_KEY_ID: ${{ secrets.AWS_BOSH_ACCES_KEY_ID }}
-          AWS_BOSH_SECRET_ACCES_KEY: ${{ secrets.AWS_BOSH_SECRET_ACCES_KEY }}
-
-      - name: create github release
-        id: create-github-release
-        if: success() && startsWith(github.ref, 'refs/tags/')
-        uses: actions/create-release@v1
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-          body: "cutting release ${{ steps.create-bosh-release.outputs.version }}"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: upload-assets
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        with:
-          upload_url: ${{ steps.create-github-release.outputs.upload_url }}
-          asset_path: ./${{ steps.create-bosh-release.outputs.file }}
-          asset_name: ${{ steps.create-bosh-release.outputs.file }}
-          asset_content_type: application/zip
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: EndBug/add-and-commit@1bad3abcf0d6ec49a5857d124b0bfb52dc7bb081 # v9.1.3: https://github.com/EndBug/add-and-commit/commits/v9.1.3
-        with:
-          # The arguments for the `git add` command (see the paragraph below for more info)
-          # Default: '.'
-          add: 'releases/k3s'
-          # Determines the way the action fills missing author name and email. Three options are available:
-          # - github_actor -> UserName <UserName@users.noreply.github.com>
-          # - user_info -> Your Display Name <your-actual@email.com>
-          # - github_actions -> github-actions <email associated with the github logo>
-          # Default: github_actor
-          default_author: github_actions
-          message: "Add missing generated files for ${{ steps.create-bosh-release.outputs.version }}"
-