diff --git a/.github/workflows/canary-deb.yaml b/.github/workflows/canary-deb.yaml
new file mode 100644
index 000000000..b78d13077
--- /dev/null
+++ b/.github/workflows/canary-deb.yaml
@@ -0,0 +1,101 @@
+name: Deb Canary
+
+on:
+  # This workflow will run from the release-automation.yaml automation on each merge
+  workflow_dispatch:
+    inputs:
+      ref_name:
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      ref_name:
+        required: true
+        type: string
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/e2e-macos.yaml'
+      - '.github/workflows/e2e-windows.yaml'
+      - '.github/workflows/e2e-linux.yaml'
+      - 'contrib/packaging/**'
+      - 'deps/**'
+      - 'finch.yaml.d/**'
+      - 'winres'
+      - 'Makefile*'
+      - '.golangci.yaml'
+      - '!contrib/hello-finch/**'
+# This workflow will run every 5 min
+  schedule:
+    - cron: '*/5 * * * *'
+  
+jobs:
+  get-latest-tag:
+    name: Get the latest release tag
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    outputs:
+      tag: ${{ steps.latest-tag.outputs.tag }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      - name: 'Get the latest tag'
+        id: latest-tag
+        uses: "WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce" # v1.4.0
+
+  canary-deb:
+    name: Test Finch APT installation
+    runs-on: ubuntu-latest
+    timeout-minutes: 3
+    needs: get-latest-tag
+    steps:
+      - name: Clean ubuntu runner workspace
+        run: rm -rf ${{ github.workspace }}/*
+        
+      - name: Install Finch dependencies
+        run: |
+          sudo apt-get update
+          sudo apt install build-essential libseccomp-dev pkg-config zlib1g-dev -y
+          
+      - name: Add Finch APT Repository
+        run: |
+          ARCH=$(dpkg --print-architecture)
+          echo "Detected architecture: $ARCH"
+          
+          curl -fsSL https://artifact.runfinch.com/deb/GPG_KEY.pub | sudo gpg --dearmor -o /usr/share/keyrings/runfinch-finch-archive-keyring.gpg
+          echo "deb [signed-by=/usr/share/keyrings/runfinch-finch-archive-keyring.gpg arch=$ARCH] https://artifact.runfinch.com/deb noble main" | sudo tee /etc/apt/sources.list.d/runfinch-finch.list
+          sudo apt update
+          
+      - name: Prepare clean environment for Finch
+        run: |
+          sudo apt remove containerd containerd.io docker.io docker-ce docker-ce-cli runc -y || true
+          sudo apt autoremove -y
+          
+      - name: Install Finch with APT
+        run: sudo apt install runfinch-finch -y
+        
+      - name: Verify version matches latest release
+        run: |
+          LATEST_TAG="${{ needs.get-latest-tag.outputs.tag }}"
+          echo "Latest repository tag: $LATEST_TAG"
+          
+          INSTALLED_VERSION=$(finch -v)
+          echo "Installed Finch version: $INSTALLED_VERSION"
+          
+          EXPECTED_VERSION="finch version $LATEST_TAG"
+          if [[ "$INSTALLED_VERSION" == "$EXPECTED_VERSION" ]]; then
+            echo "✅ Version matches: $INSTALLED_VERSION"
+          else
+            echo "❌ Version mismatch!"
+            echo "  Expected: $EXPECTED_VERSION"
+            echo "  Found: $INSTALLED_VERSION"
+            exit 1
+          fi
+          
+      - name: Clean up environment
+        run: sudo apt remove runfinch-finch -y
diff --git a/.github/workflows/release-automation.yaml b/.github/workflows/release-automation.yaml
index 1ab83738c..d1344a58e 100644
--- a/.github/workflows/release-automation.yaml
+++ b/.github/workflows/release-automation.yaml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  id-token: write
+  contents: write
+    
 jobs:
   get-latest-tag:
     name: Get the latest release tag
@@ -62,7 +66,7 @@ jobs:
       # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
       # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
       id-token: write
-      contents: read # this is required for actions/checkout
+      contents: write # this is required for actions/checkout
     secrets: inherit
     with:
       ref_name: ${{ needs.get-latest-tag.outputs.tag }}
@@ -74,7 +78,7 @@ jobs:
       # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
       # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
       id-token: write
-      contents: read # this is required for actions/checkout
+      contents: write # this is required for actions/checkout
     secrets: inherit
     with:
       ref_name: ${{ needs.get-latest-tag.outputs.tag }}
@@ -101,7 +105,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-      contents: read
+      contents: write
     steps:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
index e4cacc043..1e895252b 100644
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -6,7 +6,8 @@ on:
 name: release-please
 
 permissions:
-  contents: read
+  contents: write
+  id-token: write
   pull-requests: write
 
 jobs:
diff --git a/cmd/finch/virtual_machine_settings_darwin_test.go b/cmd/finch/virtual_machine_settings_darwin_test.go
index 05a058346..44fcbc11c 100644
--- a/cmd/finch/virtual_machine_settings_darwin_test.go
+++ b/cmd/finch/virtual_machine_settings_darwin_test.go
@@ -26,6 +26,7 @@ func TestNewSettingsMCommand(t *testing.T) {
 	assert.Equal(t, cmd.Name(), "settings")
 }
 
+// testing the deb workflow
 func TestSettingsVMAction_runAdapter(t *testing.T) {
 	t.Parallel()
 
diff --git a/release-please-config.json b/release-please-config.json
index 4c4ff1a90..23d3ec622 100644
--- a/release-please-config.json
+++ b/release-please-config.json
@@ -55,5 +55,7 @@
     ],
     "packages": {
         ".": {}
-    }
+    },
+    "pull-request-header": "Ready for new finch release - Please verify the checklist items in the bottom of this PR before merging",
+    "pull-request-footer": "-[ ] The Sync Submodules wortkflow has completed successfully in finch-core repo."
 }
diff --git a/test.txt b/test.txt
new file mode 100644
index 000000000..07a15723a
--- /dev/null
+++ b/test.txt
@@ -0,0 +1 @@
+> [!IMPORTANT]\n> Please verify the following before merging this PR.\n> -[ ] The Sync Submodules wortkflow has completed successfully in finch-core repo. \n> -[ ] The Sync Submodules and Dependencies Workflow has completed successfully in this repo
\ No newline at end of file