diff --git a/.github/workflows/bundle-desktop-windows.yml b/.github/workflows/bundle-desktop-windows.yml
index d6a6370f..b74db058 100644
--- a/.github/workflows/bundle-desktop-windows.yml
+++ b/.github/workflows/bundle-desktop-windows.yml
@@ -26,6 +26,8 @@ on:
         required: false
       WINDOW_SIGNING_ROLE:
         required: false
+      WINDOW_SIGNING_ROLE_TAG:
+        required: false
 
 # Permissions required for OIDC authentication with AWS
 permissions:
@@ -51,7 +53,7 @@ jobs:
         if: inputs.signing && inputs.signing == true
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # ratchet:aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.WINDOW_SIGNING_ROLE }}
+          role-to-assume: ${{ startsWith(inputs.ref, 'refs/tags/') && secrets.WINDOW_SIGNING_ROLE_TAG || secrets.WINDOW_SIGNING_ROLE }}
           aws-region: us-west-2
 
       # 2) Set up Node.js
diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
index 27ffd00a..14c1cc90 100644
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -96,6 +96,7 @@ jobs:
     secrets:
       WINDOWS_CODESIGN_CERTIFICATE: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE }}
       WINDOW_SIGNING_ROLE: ${{ secrets.WINDOW_SIGNING_ROLE }}
+      WINDOW_SIGNING_ROLE_TAG: ${{ secrets.WINDOW_SIGNING_ROLE_TAG }}
 
   # ------------------------------------
   # 7) Create/Update GitHub Release
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bb03de72..28fda8d6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -83,6 +83,7 @@ jobs:
     secrets:
       WINDOWS_CODESIGN_CERTIFICATE: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE }}
       WINDOW_SIGNING_ROLE: ${{ secrets.WINDOW_SIGNING_ROLE }}
+      WINDOW_SIGNING_ROLE_TAG: ${{ secrets.WINDOW_SIGNING_ROLE_TAG }}
 
   # ------------------------------------
   # 7) Create/Update GitHub Release