diff --git a/.github/actions/asana-create-action-item/templates/delete-branch-failed.yml b/.github/actions/asana-create-action-item/templates/delete-branch-failed.yml
index 61fe66bad0..61225c1281 100644
--- a/.github/actions/asana-create-action-item/templates/delete-branch-failed.yml
+++ b/.github/actions/asana-create-action-item/templates/delete-branch-failed.yml
@@ -6,7 +6,7 @@ data:
       The <code>${TAG}</code> public release has been successfully tagged and published in GitHub releases, 
       but deleting <code>${BRANCH}</code> branch failed. Please delete it manually:
       <ul>
-        <li><code>git push origin --delete ${BRANCH}</code>
+        <li><code>git push origin --delete ${BRANCH}</code></li>
       </ul>
       Complete this task when ready, or if the release branch has already been deleted.
 
diff --git a/.github/actions/create-tag-and-github-release/action.yml b/.github/actions/create-tag-and-github-release/action.yml
index 5971212b3f..21b7d34f6b 100644
--- a/.github/actions/create-tag-and-github-release/action.yml
+++ b/.github/actions/create-tag-and-github-release/action.yml
@@ -12,10 +12,10 @@ inputs:
     type: string
 outputs:
   promoted-tag:
-    description: "Pre-release tag that has been promoted to a release tag"
+    description: "Pre-release tag (x.y.z-N) that has been promoted to a release tag (x.y.z)"
     value: ${{ steps.compute-tag.outputs.promoted-tag }}
   tag:
-    description: "Tag that has been added"
+    description: "Tag that has been added (x.y.z-N for internal, x.y.z for public and hotfixes)"
     value: ${{ steps.compute-tag.outputs.tag }}
   tag-created:
     description: "Whether the tag has been created"
diff --git a/.github/workflows/bump_internal_release.yml b/.github/workflows/bump_internal_release.yml
index cf1a8805bd..4695e7bb57 100644
--- a/.github/workflows/bump_internal_release.yml
+++ b/.github/workflows/bump_internal_release.yml
@@ -114,3 +114,17 @@ jobs:
     secrets:
       ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
       GHA_ELEVATED_PERMISSIONS_TOKEN: ${{ secrets.GHA_ELEVATED_PERMISSIONS_TOKEN }}
+
+  publish_release:
+    name: Publish DMG Release
+    needs: [ tag_and_merge ]
+    uses: ./.github/workflows/publish_dmg_release.yml
+    with:
+      asana-task-url: ${{ github.event.inputs.asana-task-url }}
+
+    secrets:
+      ASANA_ACCESS_TOKEN: ${{ secrets.ASANA_ACCESS_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_RELEASE_S3 }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_RELEASE_S3 }}
+      GHA_ELEVATED_PERMISSIONS_TOKEN: ${{ secrets.GHA_ELEVATED_PERMISSIONS_TOKEN }}
+      SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
diff --git a/.github/workflows/publish_dmg_release.yml b/.github/workflows/publish_dmg_release.yml
index ede4d5c7cb..56af9a7d1d 100644
--- a/.github/workflows/publish_dmg_release.yml
+++ b/.github/workflows/publish_dmg_release.yml
@@ -19,16 +19,33 @@ on:
         - internal
         - public
         - hotfix
-
+  workflow_call:
+    inputs:
+      asana-task-url:
+        description: "Asana release task URL"
+        required: true
+        type: string
+    secrets:
+      ASANA_ACCESS_TOKEN:
+        required: true
+      AWS_ACCESS_KEY_ID:
+        required: true
+      AWS_SECRET_ACCESS_KEY:
+        required: true
+      GHA_ELEVATED_PERMISSIONS_TOKEN:
+        required: true
+      SPARKLE_PRIVATE_KEY:
+        required: true
+      
 jobs:
 
-  # This is only run for public and hotfix releases
+  # This is only run for public and hotfix releases, so only when it's triggered manually.
   # Internal release has been tagged as part of code_freeze or bump_interal_release workflows
   tag-public-release:
 
     name: Tag public release
 
-    if: ${{ github.event.inputs.release-type != 'internal' }}
+    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.release-type != 'internal' }}
 
     uses: ./.github/workflows/tag_release.yml
     with:
@@ -43,6 +60,10 @@ jobs:
 
     name: Publish a release to Sparkle
 
+    env:
+      RELEASE_TYPE: ${{ github.event.inputs.release-type || 'internal' }}
+      SPARKLE_DIR: ${{ github.workspace }}/sparkle-updates
+
     needs: [tag-public-release]
 
     # Allow to run even if the tag-public-release job was skipped (e.g. for internal releases)
@@ -52,15 +73,25 @@ jobs:
     runs-on: macos-13-xlarge
     timeout-minutes: 10
 
-    env:
-      SPARKLE_DIR: ${{ github.workspace }}/sparkle-updates
-
     steps:
 
+      - name: Download tag artifact
+        if: ${{ github.event_name == 'workflow_call' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: tag
+          path: .github
+    
+      - name: Set tag variable
+        run: |
+          if [[ "${{ github.event_name }}" == 'workflow_call' ]]; then
+            echo "tag=$(<.github/tag)" >> $GITHUB_ENV
+          else
+            echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
+          fi
+
       - name: Verify the tag
         id: verify-tag
-        env:
-          tag: ${{ github.event.inputs.tag }}
         run: |
           tag_regex='^[0-9]+\.[0-9]+\.[0-9]+-[0-9]+$'
 
@@ -87,12 +118,11 @@ jobs:
 
       - name: Fetch DMG
         id: fetch-dmg
-        if: ${{ github.event.inputs.release-type != 'public' }}
         env:
           DMG_NAME: duckduckgo-${{ steps.verify-tag.outputs.release-version }}.dmg
         run: |
           # Public release doesn't need fetching a DMG (it's already uploaded to S3)
-          if [[ "${{ github.event.inputs.release-type }}" != 'public' ]]; then
+          if [[ "${RELEASE_TYPE}" != 'public' ]]; then
             DMG_URL="${{ vars.TEST_DMG_URL_ROOT }}${DMG_NAME}"
             curl -fLSs -o "$DMG_NAME" "$DMG_URL"
           fi
@@ -121,7 +151,6 @@ jobs:
         env:
           DMG_PATH: ${{ steps.fetch-dmg.outputs.dmg-path }}
           SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
-          RELEASE_TYPE: ${{ github.event.inputs.release-type }}
           VERSION: ${{ steps.verify-tag.outputs.release-version }}
         run: |
           echo -n "$SPARKLE_PRIVATE_KEY" > sparkle_private_key
@@ -169,7 +198,6 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.TEST_AWS_ACCESS_KEY_ID_RELEASE_S3 }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_AWS_SECRET_ACCESS_KEY_RELEASE_S3 }}
           AWS_DEFAULT_REGION: ${{ vars.TEST_AWS_DEFAULT_REGION }}
-          RELEASE_TYPE: ${{ github.event.inputs.release-type }}
           VERSION: ${{ steps.verify-tag.outputs.release-version }}
         run: |
           # Back up existing appcast2.xml
@@ -208,8 +236,6 @@ jobs:
       - name: Set up Asana templates
         if: always()
         id: asana-templates
-        env:
-          RELEASE_TYPE: ${{ github.event.inputs.release-type }}
         run: |
           if [[ ${{ steps.upload.outcome }} == "success" ]]; then  
             if [[ "${RELEASE_TYPE}" == "internal" ]]; then
diff --git a/.github/workflows/tag_release.yml b/.github/workflows/tag_release.yml
index 30120d49bf..9105be2624 100644
--- a/.github/workflows/tag_release.yml
+++ b/.github/workflows/tag_release.yml
@@ -83,6 +83,18 @@ jobs:
         prerelease: ${{ env.prerelease }}
         github-token: ${{ github.token }}
 
+    - name: Store created tag in a file artifact
+      if: ${{ github.event_name == 'workflow_call' }}
+      run: echo ${{ steps.create-tag.outputs.tag }} > .github/tag
+
+    - name: Upload tag artifact
+      if: ${{ github.event_name == 'workflow_call' }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: tag
+        path: .github/tag
+        retention-days: 1
+
     - name: Merge to base branch
       id: merge
       if: ${{ env.prerelease == 'true' }}
@@ -103,7 +115,7 @@ jobs:
       env:
         GH_TOKEN: ${{ github.token }}
       run: |
-        gh api --method DELETE /repos/${{ github.repository }}/git/refs/heads/${{ env.BRANCH}}
+        gh api --method DELETE /repos/${{ github.repository }}/git/refs/heads/${{ env.BRANCH }}
 
     - name: Set common environment variables
       if: always()