diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index 4db084d..98f7fe4 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -6,8 +6,8 @@
 # (aarch64, macOS, Windows) and the D3 package-manager manifests layer on later,
 # step by step.
 #
-# Correctness comes from the branch gate (clippy + test) that ran when the
-# tagged commit was pushed; this job builds + publishes, it does not re-test.
+# Tests run here before the build so a tag can never publish untested code,
+# even one pointing at a commit that was never gated on a branch.
 name: release
 on:
   push:
@@ -24,14 +24,20 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: test
+        run: nix develop -c cargo test --no-fail-fast
+
       - name: build static binary
         run: nix develop -c cargo build --release --target "$TARGET"
 
       - name: package artifacts
+        # Pin bash: the runner defaults scripted steps to dash, which rejects
+        # `set -o pipefail`. bash is in the CI image.
+        shell: bash
         run: |
           set -euo pipefail
           BIN="target/$TARGET/release/rdbms-playground"
-          file "$BIN"
+          ls -l "$BIN"
           OUT="rdbms-playground-${{ github.ref_name }}-$TARGET"
           mkdir -p dist
           cp "$BIN" "dist/$OUT"
@@ -39,6 +45,7 @@ jobs:
           ls -l dist
 
       - name: publish gitea release + assets
+        shell: bash
         env:
           # Auto-provided by Gitea Actions; has repo write (release) scope.
           TOKEN: ${{ secrets.GITEA_TOKEN }}