diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
new file mode 100644
index 000000000..d3f8e2e8b
--- /dev/null
+++ b/.github/workflows/release-tag.yml
@@ -0,0 +1,81 @@
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to deploy (format: vX.Y.Z)"
+        required: true
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
+name: Release Tag
+
+# We must only run one release workflow at a time to prevent corrupting
+# our release artifacts.
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  setup:
+    runs-on: namespace-profile-ghostty-sm
+    outputs:
+      version: ${{ steps.extract_version.outputs.version }}
+    steps:
+      - name: Validate Version Input
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          if [[ ! "${{ github.event.inputs.version }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Error: Version must follow the format vX.Y.Z (e.g., v1.0.0)."
+            exit 1
+          fi
+
+          echo "Version is valid: ${{ github.event.inputs.version }}"
+
+      - name: Exract the Version
+        id: extract_version
+        run: |
+          if [[ "${{ github.event_name }}" == "push" ]]; then
+            # Remove the leading 'v' from the tag
+            VERSION=${GITHUB_REF#refs/tags/v}
+            echo "version=$VERSION" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            VERSION=${{ github.event.inputs.version }}
+            VERSION=${VERSION#v}
+            echo "version=$VERSION" >> $GITHUB_OUTPUT
+          else
+            echo "Error: Unsupported event type."
+            exit 1
+          fi
+
+  source-tarball:
+    runs-on: namespace-profile-ghostty-md
+    needs: [setup]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cachix/install-nix-action@v30
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - uses: cachix/cachix-action@v15
+        with:
+          name: ghostty
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+
+      - name: Create Tarball
+        run: git archive --format=tgz -o ghostty-source.tar.gz HEAD
+
+      - name: Sign Tarball
+        run: |
+          echo -n "${{ secrets.MINISIGN_KEY }}" > minisign.key
+          echo -n "${{ secrets.MINISIGN_PASSWORD }}" > minisign.password
+          nix develop -c minisign -S -m ghostty-source.tar.gz -s minisign.key < minisign.password
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: source-tarball
+          path: |-
+            ghostty-source.tar.gz
+            ghostty-source.tar.gz.minisig