diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml
index 89645566d..794f0d802 100644
--- a/.github/workflows/release-beta.yml
+++ b/.github/workflows/release-beta.yml
@@ -14,6 +14,7 @@ permissions:
 
 jobs:
   approved:
+    name: fast-forward
     if: |
       github.event.pull_request.head.ref == 'develop' &&
       github.event.pull_request.base.ref == 'main' &&
@@ -21,6 +22,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      packages: write
+    outputs:
+      release_tag: ${{ steps.latest-release.outputs.tagName }}
     steps:
       - uses: actions/checkout@v6
         with:
@@ -29,21 +33,46 @@ jobs:
           git checkout main
           git merge --ff-only "${{ github.event.pull_request.head.sha }}"
           git push origin main
+      - id: latest-release
+        run: |
+          latest=$(gh release list --limit 1 --json tagName --jq '.[].tagName')
+          gh release edit $latest --latest --prerelease=false
+          echo "tagName=$latest" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  deploy:
+  tag:
+    name: Move latest tag
     needs:
       - approved
+    runs-on: ubuntu-latest
     permissions:
-      contents: write
-      packages: write
+      contents: read
       # Required for npm OIDC
       id-token: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: latest
+          registry-url: https://registry.npmjs.org
+      - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest
+        env:
+          RELEASE_TAG: ${{ needs.approved.outputs.release_tag }}
+
+  deploy:
+    needs:
+      - approved
+      - tag
     # Call workflow explicitly because events from actions cannot trigger more actions
     uses: ./.github/workflows/release.yml
+    with:
+      release: ${{ needs.approved.outputs.release_tag }}
     secrets: inherit
 
   release:
     name: semantic-release
+    if: ${{ github.event_name != 'pull_request_review' }}
     runs-on: ubuntu-latest
     permissions:
       contents: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9cce7cc90..6ad527336 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,36 +1,24 @@
 name: Release
 
 on:
-  push:
-    branches:
-      - main
   workflow_call:
+    inputs:
+      release:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      release:
+        description: "v1.0.0"
+        required: true
+        type: string
 
 permissions:
   contents: read
 
 jobs:
-  settings:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      packages: write
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    outputs:
-      release_tag: ${{ steps.prerelease.outputs.tagName }}
-    steps:
-      - uses: actions/checkout@v6
-      - id: prerelease
-        run: |
-          gh release list --limit 1 --json tagName --jq \
-          '.[]|to_entries|map("\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_OUTPUT
-      - run: gh release edit ${{ steps.prerelease.outputs.tagName }} --latest --prerelease=false
-
   commit:
     name: Publish Brew and Scoop
-    needs:
-      - settings
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -47,26 +35,12 @@ jobs:
           repositories: |
             homebrew-tap
             scoop-bucket
-      - run: go run tools/publish/main.go ${{ needs.settings.outputs.release_tag }}
+      - run: go run tools/publish/main.go ${{ inputs.release }}
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
-  publish:
-    name: Publish NPM
-    needs:
-      - settings
-    permissions:
-      contents: read
-      id-token: write
-    uses: ./.github/workflows/tag-npm.yml
-    with:
-      release: ${{ needs.settings.outputs.release_tag }}
-    secrets: inherit
-
   compose:
     name: Bump self-hosted versions
-    needs:
-      - settings
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -89,9 +63,7 @@ jobs:
   changelog:
     name: Publish changelog
     needs:
-      - settings
       - commit
-      - publish
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -114,8 +86,6 @@ jobs:
 
   docs:
     name: Publish reference docs
-    needs:
-      - settings
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -131,6 +101,6 @@ jobs:
           owner: ${{ github.repository_owner }}
           repositories: |
             supabase
-      - run: go run docs/main.go ${{ needs.settings.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml
+      - run: go run docs/main.go ${{ inputs.release }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/tag-npm.yml b/.github/workflows/tag-npm.yml
deleted file mode 100644
index 53a7c9a31..000000000
--- a/.github/workflows/tag-npm.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-name: Tag NPM
-
-on:
-  workflow_call:
-    inputs:
-      release:
-        required: true
-        type: string
-  workflow_dispatch:
-    inputs:
-      release:
-        description: "v1.0.0"
-        required: true
-        type: string
-
-permissions:
-  contents: read
-  id-token: write
-
-jobs:
-  tag:
-    name: Move latest tag
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - uses: actions/setup-node@v6
-        with:
-          node-version: latest
-          registry-url: https://registry.npmjs.org
-
-      - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest
-        env:
-          RELEASE_TAG: ${{ inputs.release }}