diff --git a/.github/workflows/check-tag.yml b/.github/workflows/check-tag.yml
new file mode 100644
index 0000000..26d4d22
--- /dev/null
+++ b/.github/workflows/check-tag.yml
@@ -0,0 +1,61 @@
+name: Check Tag
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  check-tag:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Need to get all history to check that we're on main
+
+      - name: Check branch
+        run: |
+          TAG_COMMIT=$(git rev-parse "$GITHUB_REF")
+          MAIN_COMMIT=$(git rev-parse origin/main)
+
+          if [ "$TAG_COMMIT" != "$MAIN_COMMIT" ]; then
+            echo "Tag commit: $TAG_COMMIT"
+            echo "Main tip commit: $MAIN_COMMIT"
+            echo "Error: Tag does not appear to be on main. Exiting."
+            exit 1
+          fi
+
+      - name: Check tag
+        run: |
+          PACKAGE_VERSION=$(jq -r ".version" package.json)
+
+          if [ "$TAG" != "v${PACKAGE_VERSION}" ]; then
+            echo "Pushed tag: $TAG"
+            echo "Version in package.json: $PACKAGE_VERSION"
+            echo "Error: Tag does not appear to match version in package.json. Exiting."
+            exit 1
+          fi
+        env:
+          TAG: ${{ github.ref_name }} # On push.tags this is the name of the tag
+
+  cleanup:
+    runs-on: ubuntu-latest
+    needs:
+      - "check-tag"
+    if: ${{ always() && contains(needs.*.result, 'failure') }}
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Delete tag
+        run: |
+          git tag -d "$TAG"
+          git push --delete origin "$TAG"
+        env:
+          TAG: ${{ github.ref_name }} # On push.tags this is the name of the tag
+
+      - name: Die
+        run: exit 1
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 53fb50c..5c4f26d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,9 +1,9 @@
 name: Publish
 
 on:
-  push:
-    branches:
-      - main
+  release:
+    types:
+      - "released"
 
 permissions:
   id-token: write # Required for OIDC
@@ -33,5 +33,5 @@ jobs:
       - name: Build module
         run: npm run build
 
-      - name: Build module
+      - name: Publish module
         run: npm publish --access public
diff --git a/.husky/pre-push b/.husky/pre-push
index 5de7ecd..1a6c6ed 100755
--- a/.husky/pre-push
+++ b/.husky/pre-push
@@ -1,9 +1,14 @@
-#!/bin/sh
+#!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
-npm run test
-CHANGED=$(git diff origin/main package.json | grep '"version":')
-if [ -z "$CHANGED" ]; then
+if git diff origin/main..HEAD --name-only | grep -Eq '\.(js|ts|json|py)$'; then
+  echo "Code changes detected"
+else
+  echo "No code changes detected. Skipping tests."
+  exit 0
+fi
+
+if git diff origin/main package.json | grep '"version":'; then
   echo "ERROR: You must update package.json version before pushing to main!"
   exit 1
 fi