diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
index bf99f83d08bb3..1edf0ca12aa7c 100644
--- a/.azure-pipelines/pipelines.yml
+++ b/.azure-pipelines/pipelines.yml
@@ -10,6 +10,18 @@ trigger:
 # PR build config is manually overridden in Azure pipelines UI with different secrets
 pr: none
 
+variables:
+- name: isDev
+  # This must be checked/set in a `step` from the VERSION.txt file, in order to be useful
+  value: true
+- name: isMain
+  value: $[eq(variables['Build.SourceBranch'], 'refs/heads/main')]
+- name: isRelease
+  value: $[startsWith(variables['Build.SourceBranch'], 'refs/heads/release/v')]
+- name: isStableBranch
+  # A release branch can be either `main` or a `release/v1.x` stable branch
+  value: $[or(eq(variables['isMain'], 'true'), eq(variables['isRelease'], 'true'))]
+
 stages:
 - stage: precheck
   jobs:
@@ -425,11 +437,11 @@ stages:
       timeoutInMinutes: 10
       condition: always()
 
-- stage: docs
+- stage: publish
   dependsOn: ["docker"]
   condition: and(succeeded(), eq(variables['PostSubmit'], true), ne(variables['NoSync'], true))
   jobs:
-  - job: publish
+  - job: docs
     pool:
       vmImage: "ubuntu-20.04"
     steps:
@@ -458,7 +470,7 @@ stages:
         ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
         GCP_SERVICE_ACCOUNT_KEY: $(GcpServiceAccountKey)
         GCS_ARTIFACT_BUCKET: $(GcsArtifactBucket)
-      condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
+      condition: eq(variables['isMain'], 'true')
 
     - task: InstallSSHKey@0
       inputs:
@@ -474,6 +486,26 @@ stages:
         AZP_BRANCH: $(Build.SourceBranch)
         NETLIFY_TRIGGER_URL: $(NetlifyTriggerURL)
 
+  - job: github
+    dependsOn: ["docs"]
+    condition: eq(variables['isStableBranch'], 'true')
+    pool:
+      vmImage: "ubuntu-20.04"
+    steps:
+    - bash: |
+        VERSION_DEV="$(cat VERSION.txt | cut -d- -f2)"
+        if [[ $VERSION_DEV != "dev" ]]; then
+            echo "##vso[task.setvariable variable=isDev]false"
+        fi
+      displayName: Set development/release env
+
+    - script: ./ci/run_envoy_docker.sh './ci/do_ci.sh publish'
+      displayName: "Publish release to Github"
+      workingDirectory: $(Build.SourcesDirectory)
+      condition: eq(variables['isDev'], 'false')
+      env:
+        GITHUB_TOKEN: $(GitHubPublicRepoOnlyAccessToken)
+
 - stage: verify
   dependsOn: ["docker"]
   jobs:
diff --git a/ci/do_ci.sh b/ci/do_ci.sh
index 8aac5c2e21639..3495024692f55 100755
--- a/ci/do_ci.sh
+++ b/ci/do_ci.sh
@@ -8,7 +8,7 @@ set -e
 build_setup_args=""
 if [[ "$1" == "format" || "$1" == "fix_proto_format" || "$1" == "check_proto_format" || "$1" == "docs" ||  \
           "$1" == "bazel.clang_tidy" || "$1" == "bazel.distribution" \
-          || "$1" == "deps" || "$1" == "verify_examples" \
+          || "$1" == "deps" || "$1" == "verify_examples" || "$1" == "publish" \
           || "$1" == "verify_distro" ]]; then
     build_setup_args="-nofetch"
 fi
@@ -520,6 +520,9 @@ elif [[ "$CI_TARGET" == "verify_distro" ]]; then
     fi
     bazel run "${BAZEL_BUILD_OPTIONS[@]}" //distribution:verify_packages "$PACKAGE_BUILD"
     exit 0
+elif [[ "$CI_TARGET" == "publish" ]]; then
+    bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/project:publish
+    exit 0
 else
   echo "Invalid do_ci.sh target, see ci/README.md for valid targets."
   exit 1
diff --git a/tools/base/requirements.in b/tools/base/requirements.in
index 912f737aeab81..4498731c19b0f 100644
--- a/tools/base/requirements.in
+++ b/tools/base/requirements.in
@@ -4,7 +4,7 @@ aiohttp>=3.8.1
 cffi>=1.15.0
 colorama
 coloredlogs
-envoy.base.utils>=0.3.6
+envoy.base.utils>=0.3.7
 envoy.code.check>=0.2.1
 envoy.dependency.check>=0.1.5
 envoy.dependency.pip_check>=0.1.2
diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt
index 24e01eba87fb7..516055ebaa695 100644
--- a/tools/base/requirements.txt
+++ b/tools/base/requirements.txt
@@ -25,9 +25,9 @@ aio-api-bazel==0.0.2 \
     --hash=sha256:56e36463d236e477b7e282f2d870185a0b978b50e2c3803c1ebf8b8ac4b18f5b \
     --hash=sha256:d3f563b7698e874437d80538a89dd4d79bc37de2e850c846330ae456e3f21dcc
     # via -r requirements.in
-aio-api-github==0.1.2 \
-    --hash=sha256:0c9eabf16e60dddd3879c27337f7c31e5582c9144a5aef268941dd08b0ddf342 \
-    --hash=sha256:144808e4832dfd6895ed1887bd96d9f4d289761ec03ecbeb589434bcce686b33
+aio-api-github==0.1.4 \
+    --hash=sha256:0a09e476ca4eea3d8a0caa861223f170b4a7f4c1b96976574b8d2a282544d353 \
+    --hash=sha256:9796778d6b7993e7a3b0ba68af46a314091dcbae2ab98e8f42e3dd5631ed7ab3
     # via
     #   envoy-base-utils
     #   envoy-dependency-check
@@ -309,9 +309,9 @@ docutils==0.16 \
     #   sphinx
     #   sphinx-rtd-theme
     #   sphinx-tabs
-envoy-base-utils==0.3.6 \
-    --hash=sha256:09bab1310ffd133250e484201244eb11ab019ac36362b14f913ce91ecb023cb3 \
-    --hash=sha256:ad699b94fd7c63088266a5cbc74ff732e653e586b5c1b9002351080c7d850c09
+envoy-base-utils==0.3.7 \
+    --hash=sha256:5c79aa70de6b7014a5b955822eb83324fd222b7cf7bb656e12a018c747b4f2df \
+    --hash=sha256:ac7850ec1c90253964a5d7f7847a3c3317f9d77607e6f90d1fb5aeb975ac2842
     # via
     #   -r requirements.in
     #   envoy-code-check
diff --git a/tools/project/BUILD b/tools/project/BUILD
index f5912d2cf03bc..c072f656e28dc 100644
--- a/tools/project/BUILD
+++ b/tools/project/BUILD
@@ -35,3 +35,13 @@ envoy_entry_point(
     pkg = "envoy.base.utils",
     script = "envoy.project",
 )
+
+envoy_entry_point(
+    name = "publish",
+    args = [
+        "publish",
+        PATH,
+    ],
+    pkg = "envoy.base.utils",
+    script = "envoy.project",
+)