diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index dfb90b7..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
new file mode 100644
index 0000000..28b04c9
--- /dev/null
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,42 @@
+# Only build (optionally push) the project image when a release is made, which
+# is represented by a push-tag event or a workflow_dispatch from another workflow.
+---
+name: Build-Push
+
+env:
+  # Current supported Python version. For applications, there is generally no
+  # reason to support multiple Python versions, so all actions are run with
+  # this version. Quote the version to avoid interpretation as a floating
+  # point number.
+  PYTHON_VERSION: "3.12"
+  UV_PYTHON_PREFERENCE: "system"
+  BUILDKIT_PROGRESS: "plain"
+
+"on":
+  push:
+    tags:
+      - "*"
+  workflow_dispatch:
+
+jobs:
+  ci:
+    uses:
+      ./.github/workflows/ci.yaml
+
+  build:
+    runs-on: ubuntu-latest
+    needs: [ci]
+    timeout-minutes: 10
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: lsst-sqre/build-and-push-to-ghcr@v1
+        id: build
+        with:
+          image: ${{ github.repository }}
+          target: runtime-image
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          push: false
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b905e69..ad2d5d0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,40 +1,16 @@
-name: CI
-
-env:
-  # Current supported Python version. For applications, there is generally no
-  # reason to support multiple Python versions, so all actions are run with
-  # this version. Quote the version to avoid interpretation as a floating
-  # point number.
-  PYTHON_VERSION: "3.12"
-  UV_PYTHON_PREFERENCE: "system"
-  BUILDKIT_PROGRESS: "plain"
-
+# CI workflow runs linting, typing, and unit tests on every push to a branch
+# and when called from another workflow.
+---
+name: "CI"
 "on":
-  merge_group: {}
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - closed
+  workflow_call:
+  push:
     branches:
-      - main
-      - "u/**"
       - "tickets/**"
-  push:
-    # branches-ignore:
-    #   # These should always correspond to pull requests, so ignore them for
-    #   # the push trigger and let them be triggered by the pull_request
-    #   # trigger, avoiding running the workflow twice.  This is a minor
-    #   # optimization so there's no need to ensure this is comprehensive.
-    #   - "dependabot/**"
-    #   - "gh-readonly-queue/**"
-    #   - "renovate/**"
-    #   - "tickets/**"
-    #   - "u/**"
-    #   - "main"
-    tags:
-      - "*"
+      - "u/**"
+
+env:
+  UV_FROZEN: "1"
 
 jobs:
   lint:
@@ -53,6 +29,8 @@ jobs:
         uses: pre-commit/action@v3.0.1
 
   test:
+    name: Run unit tests
+    needs: [lint]
     runs-on: ubuntu-latest
     timeout-minutes: 10
 
@@ -65,79 +43,3 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           tox-envs: "py,coverage-report,typing"
           tox-requirements: requirements/tox.txt
-
-  build:
-    runs-on: ubuntu-latest
-    needs: [lint, test]
-    timeout-minutes: 10
-
-    # Only do Docker builds of tagged releases and pull requests from ticket
-    # branches.  This will still trigger on pull requests from untrusted
-    # repositories whose branch names match our tickets/* branch convention,
-    # but in this case the build will fail with an error since the secret
-    # won't be set.
-    if: >
-      (
-        github.event_name == 'pull_request' &&
-        github.event.action != 'closed' &&
-        startsWith(github.head_ref, 'u/tobyj/')
-      ) || (
-        github.event_name == 'push' &&
-        startsWith(github.ref, 'refs/tags/') ||
-      )
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: lsst-sqre/build-and-push-to-ghcr@u/tobyj/docker_target
-        id: build
-        with:
-          image: ${{ github.repository }}
-          target: runtime-image
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          push: false
-
-  # Release -- when PR is merged to main, bump version, make tag, recommit
-  release:
-    runs-on: ubuntu-latest
-    needs: [lint, test]
-    timeout-minutes: 10
-    if: >-
-      github.event_name == 'pull_request'
-      && github.event.action == 'closed'
-      && github.event.pull_request.merged == true
-    steps:
-      - run: >-
-          echo "${{ github.head_ref }} merged into ${{ github.ref }}
-          by {{ github.event.pull_request.user.name }} <{{ github.event.pull_request.user.email }}>"
-      - uses: actions/checkout@v4
-
-      - name: Set up UV
-        uses: astral-sh/setup-uv@v4
-        with:
-          version: "0.5"
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version-file: "pyproject.toml"
-
-      - name: Install Release Manager
-        run: >-
-          uv tool install python-semantic-release
-
-      - name: Configure Git
-        run: |
-          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
-          git config --global user.name "${{ github.actor }}"
-
-      - name: Bump Project Version
-        env:
-          GIT_COMMIT_AUTHOR: "${{github.actor}} <${{github.actor}}@users.noreply.github.com>"
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: >-
-          semantic-release
-          version --patch
-          --no-vcs-release --skip-build --no-changelog
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 0000000..2b13271
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,60 @@
+# Build a project release whenever a pull request is merged to main.
+---
+name: Release
+
+env:
+  # Current supported Python version. For applications, there is generally no
+  # reason to support multiple Python versions, so all actions are run with
+  # this version. Quote the version to avoid interpretation as a floating
+  # point number.
+  PYTHON_VERSION: "3.12"
+  UV_PYTHON_PREFERENCE: "system"
+  BUILDKIT_PROGRESS: "plain"
+
+"on":
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+jobs:
+
+  # Release -- when PR is merged to main, bump version, make tag, recommit
+  release:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    if: >-
+      github.event_name == 'pull_request'
+      && github.event.action == 'closed'
+      && github.event.pull_request.merged == true
+    steps:
+      - run: >-
+          echo "${{ github.head_ref }} merged into ${{ github.ref }}
+          by {{ github.event.pull_request.user.name }} <{{ github.event.pull_request.user.email }}>"
+      - uses: actions/checkout@v4
+
+      - name: Make Release
+        id: release
+        uses: python-semantic-release/pythong-semantic-release@9
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_committer_name: "github_actions[bot]"
+          git_committer_email: "41898282+github_actions[bot]@users.noreply.github.com"
+          force: patch
+          build: false
+          changelog: false
+          vcs_release: false
+
+      # Pushing the tag will not trigger any related events, so we have to use
+      # workflow_dispatch to affect the tag-related build.
+      - name: Trigger Build Workflow
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'build.yml',
+              ref: ${{ steps.release.outputs.tag }}
+            })