diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 73d987a..21cc593 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,15 +30,3 @@ jobs:
         stack-yaml: ${{ matrix.stack-yaml }}
         stack-arguments: --flag yesod-auth-oauth2:example
         weeder: false
-
-  tag:
-    runs-on: ubuntu-latest
-
-    if: ${{ github.ref == 'refs/heads/main' }}
-    needs: [test]
-
-    steps:
-      - uses: actions/checkout@v2
-      - env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        uses: freckle/haskell-tag-action@v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 60dc438..11bf067 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,16 +2,25 @@ name: Release to Hackage
 
 on:
   push:
+    branches: main
     tags:
       - 'v*'
 
 jobs:
   release:
     runs-on: ubuntu-latest
-    env:
-      HACKAGE_API_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
     steps:
       - uses: actions/checkout@v2
-      - uses: freckle/stack-upload-action@main
+
+      - id: tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: freckle/haskell-tag-action@v1
+
+      # If we're reacting to a manually pushed tag, or we just created one
+      - if: ${{ startsWith(github.ref, 'refs/tags/') || steps.tag.tag }}
+        env:
+          HACKAGE_API_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
+        uses: freckle/stack-upload-action@main
         with:
           pvp-bounds: both