diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 352d80a..8ec90ff 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -6,69 +6,106 @@ on:
       - main
 
 jobs:
-  release-package:
+  release-please:
     runs-on: ubuntu-latest
 
     permissions:
-      id-token: write # Needed if using OIDC to get release secrets.
       contents: write # Contents and pull-requests are for release-please to make releases.
       pull-requests: write
-      attestations: write
+
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
 
     steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
+      # Create any releases first, then create tags, and then optionally create any new PRs.
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
+        with:
+          skip-github-pull-request: true
 
+      # Need the repository content to be able to create and push a tag.
       - uses: actions/checkout@v4
+        if: ${{ steps.release.outputs.release_created == 'true' }}
+
+      - name: Create release tag
+        if: ${{ steps.release.outputs.release_created == 'true' }}
+        env:
+          TAG_NAME: ${{ steps.release.outputs.tag_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh api "repos/${{ github.repository }}/git/ref/tags/${TAG_NAME}" >/dev/null 2>&1; then
+            echo "Tag ${TAG_NAME} already exists, skipping creation."
+          else
+            echo "Creating tag ${TAG_NAME}."
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git tag "${TAG_NAME}"
+            git push origin "${TAG_NAME}"
+          fi
+
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        if: ${{ steps.release.outputs.release_created != 'true' }}
+        id: release-prs
         with:
-          fetch-depth: 0 # Full history is required for proper changelog generation
+          skip-github-release: true
+
+      # Checkout is needed for the update-cabal step below.
+      - uses: actions/checkout@v4
+        if: ${{ steps.release-prs.outputs.pr != '' }}
 
       #
       # This step runs and updates an existing PR
       #
       - uses: ./.github/actions/update-cabal
-        if: ${{ steps.release.outputs.pr != '' }}
+        if: ${{ steps.release-prs.outputs.pr != '' }}
         with:
-          branch: ${{ fromJSON(steps.release.outputs.pr).headBranchName }}
+          branch: ${{ fromJSON(steps.release-prs.outputs.pr).headBranchName }}
+
+  release-package:
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write # Needed if using OIDC to get release secrets.
+      contents: write # Contents and pull-requests are for release-please to make releases.
+      attestations: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Full history is required for proper changelog generation
 
       - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
         name: "Get Hackage token"
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         with:
           aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
           ssm_parameter_pairs: "/production/common/releasing/hackage/password = HACKAGE_TOKEN"
 
       - name: Install PCRE development libraries
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         run: sudo apt-get update && sudo apt-get install -y libpcre3-dev
 
       - uses: ./.github/actions/setup-cache
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
 
       - uses: ./.github/actions/ci
         id: ci
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         with:
           token: ${{secrets.GITHUB_TOKEN}}
 
       - uses: ./.github/actions/build-docs
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
 
       - uses: ./.github/actions/publish
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         with:
           token: ${{ env.HACKAGE_TOKEN }}
           dry_run: "false"
 
       - uses: ./.github/actions/publish-docs
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         with:
           # If publishing somewhere else, then get the token from SSM. If you need both github,
           # and another token, then add more tokens to the composite action.
           token: ${{secrets.GITHUB_TOKEN}}
 
       - name: Attest build provenance
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
         uses: actions/attest@v4
         with:
           subject-path: '${{ steps.ci.outputs.dist-dir }}/*tar.gz'