diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index a822c1770..f0eeca3c1 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -3,7 +3,7 @@ name: Main Workflow
 on:
   pull_request: {}
   push:
-    branches: [ "main" ]
+    branches: [ "main", "beta" ]
 
 
 concurrency:
@@ -65,7 +65,9 @@ jobs:
     needs: unit-tests
 
     # Skip running if the PR is coming from a fork or is created by dependabot or snyk due to missing repo secrets.
-    if: github.event.pull_request.head.repo.fork == false && (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
+    # Only run on pushes to main or PRs targeting main.
+    if: github.event.pull_request.head.repo.fork == false && (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot') &&
+        (github.ref == 'refs/heads/main' || github.base_ref == 'main')
 
     steps:
       - name: Check out the code
diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml
new file mode 100644
index 000000000..42e489136
--- /dev/null
+++ b/.github/workflows/release-beta.yml
@@ -0,0 +1,39 @@
+name: Release Beta
+
+on:
+  push:
+    tags:
+      # Prerelease tags only, e.g. v1.2.3-beta.1. Stable releases such as
+      # v1.2.3 are handled by release.yml.
+      - "v[0-9]+.[0-9]+.[0-9]+-*"
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          fetch-depth: 0 # This ensures all history and tags are fetched
+          path: auth0-cli
+
+      - name: Set up Go
+        uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1
+        with:
+          go-version-file: auth0-cli/go.mod
+          check-latest: true
+
+      # GoReleaser automatically marks SemVer prerelease tags (those with a
+      # "-suffix") as GitHub prereleases. Homebrew and Scoop PRs are
+      # intentionally omitted so beta builds never reach package managers.
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # pin@6.2.1
+        with:
+          version: "2.7.0"
+          args: release --clean
+          workdir: 'auth0-cli'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
\ No newline at end of file
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ff329dc07..cb9d1d267 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,7 +3,10 @@ name: Release
 on:
   push:
     tags:
-      - "v*"
+      # Stable releases only, e.g. v1.2.3. Prerelease tags such as
+      # v1.2.3-beta.1 are handled by release-beta.yml.
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
 
 permissions:
   contents: write
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 44a0d7fd2..19f8f7ad9 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -3,7 +3,7 @@ name: Security
 on:
   pull_request: {}
   push:
-    branches: [ "main" ]
+    branches: [ "main", "beta" ]
   schedule:
     - cron: "30 0 1,15 * *"