diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3d4adcc01..09cc63b45 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,10 @@
 version: 2
 updates:
   - package-ecosystem: "cargo"
+    labels:
+      - T-Task
+      - Z-Dependencies
+      - Z-Deps-Backend
     directory: "/"
     schedule:
       interval: "daily"
@@ -27,11 +31,19 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    labels:
+      - T-Task
+      - Z-Dependencies
+      - Z-Deps-CI
 
   - package-ecosystem: "npm"
     directory: "/frontend/"
     schedule:
       interval: "daily"
+    labels:
+      - T-Task
+      - Z-Dependencies
+      - Z-Deps-Frontend
     groups:
       storybook:
         patterns:
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 985ff0303..86225b20f 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -22,6 +22,8 @@ env:
   CARGO_TERM_COLOR: always
   CARGO_NET_GIT_FETCH_WITH_CLI: "true"
   IMAGE: ghcr.io/matrix-org/matrix-authentication-service
+  IMAGE_SYN2MAS: ghcr.io/matrix-org/matrix-authentication-service/syn2mas
+  BUILDCACHE: ghcr.io/matrix-org/matrix-authentication-service/buildcache
 
 jobs:
   build-binaries:
@@ -171,6 +173,22 @@ jobs:
             type=semver,pattern={{major}}
             type=sha
 
+      - name: Docker meta (syn2mas)
+        id: meta-syn2mas
+        uses: docker/metadata-action@v5.0.0
+        with:
+          images: "${{ env.IMAGE_SYN2MAS }}"
+          bake-target: docker-metadata-action-syn2mas
+          flavor: |
+            latest=auto
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+
       - name: Setup Cosign
         uses: sigstore/cosign-installer@v3.1.2
 
@@ -199,9 +217,11 @@ jobs:
             docker-bake.hcl
             ${{ steps.meta.outputs.bake-file }}
             ${{ steps.meta-debug.outputs.bake-file }}
+            ${{ steps.meta-syn2mas.outputs.bake-file }}
           set: |
             base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
-            base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
+            syn2mas.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}:tools/syn2mas/
+            base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache
 
       - name: Build and push
         id: bake
@@ -214,9 +234,10 @@ jobs:
             ${{ steps.meta-debug.outputs.bake-file }}
           set: |
             base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
+            syn2mas.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}:tools/syn2mas/
             base.output=type=image,push=true
-            base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
-            base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
+            base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache
+            base.cache-to=type=registry,ref=${{ env.BUILDCACHE }}:buildcache,mode=max
 
       - name: Sign the images with GitHub Actions provided token
         # Only sign on tags and on commits on main branch
@@ -227,7 +248,8 @@ jobs:
         run: |-
           cosign sign --yes \
             "${{ env.IMAGE }}@${{ fromJSON(steps.bake.outputs.metadata).regular['containerimage.digest'] }}" \
-            "${{ env.IMAGE }}@${{ fromJSON(steps.bake.outputs.metadata).debug['containerimage.digest'] }}"
+            "${{ env.IMAGE }}@${{ fromJSON(steps.bake.outputs.metadata).debug['containerimage.digest'] }}" \
+            "${{ env.IMAGE_SYN2MAS }}@${{ fromJSON(steps.bake.outputs.metadata).syn2mas['containerimage.digest'] }}"
 
 
   release:
@@ -293,6 +315,17 @@ jobs:
                 ```
                 ${{ fromJSON(needs.build-image.outputs.metadata).debug['image.name'] }}
                 ```
+            
+            `syn2mas` migration tool: 
+            
+              - Digest: 
+                ```
+                ${{ env.IMAGE_SYN2MAS }}@${{ fromJSON(needs.build-image.outputs.metadata).syn2mas['containerimage.digest'] }}
+                ```
+              - Tags:
+                ```
+                ${{ fromJSON(needs.build-image.outputs.metadata).syn2mas['image.name'] }}
+                ```
 
           files: |
             mas-cli-aarch64-linux.tar.gz
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 302c794be..fd6741db1 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,9 +1,10 @@
 // This is what is baked by GitHub Actions
-group "default" { targets = ["regular", "debug"] }
+group "default" { targets = ["regular", "debug", "syn2mas"] }
 
 // Targets filled by GitHub Actions: one for the regular tag, one for the debug tag
 target "docker-metadata-action" {}
 target "docker-metadata-action-debug" {}
+target "docker-metadata-action-syn2mas" {}
 
 // This sets the platforms and is further extended by GitHub Actions to set the
 // output and the cache locations
@@ -22,3 +23,8 @@ target "debug" {
   inherits = ["base", "docker-metadata-action-debug"]
   target = "debug"
 }
+
+target "syn2mas" {
+  inherits = ["base", "docker-metadata-action-syn2mas"]
+  context = "./tools/syn2mas"
+}