diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index e75a8b0..77e5947 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -50,6 +50,11 @@ jobs:
   # matrix below then only adds files to this already-existing release and can
   # never race to create it (the race that made action-gh-release v3 fail with
   # "already_exists (tag_name)").
+  #
+  # The release is created as a draft so it is not publicly visible while the
+  # upload matrix is still attaching assets. The publish-release job flips it to
+  # published only after all assets are present, so the public never sees a
+  # partial or empty release.
   create-release:
     needs: build
     if: startsWith(github.ref, 'refs/tags/v')
@@ -58,8 +63,10 @@ jobs:
       contents: write
 
     steps:
-    - name: Ensure release exists for tag
+    - name: Create draft release for tag
       uses: softprops/action-gh-release@v3
+      with:
+        draft: true
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -137,12 +144,33 @@ jobs:
 
     # The release already exists (created by create-release), so each matrix leg
     # only adds its binary and checksum. No matrix job creates the release, which
-    # avoids the concurrent-create race entirely.
-    - name: Upload assets to release
+    # avoids the concurrent-create race entirely. draft: true is set explicitly
+    # so these update calls keep the release in draft (the action's draft input
+    # defaults to false and would otherwise publish it early).
+    - name: Upload assets to draft release
       uses: softprops/action-gh-release@v3
       with:
+        draft: true
         files: |
           ${{ matrix.asset_name }}
           ${{ matrix.asset_name }}.sha256
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Single job that publishes the release once, only after the full asset set is
+  # attached. Flipping draft to false here is the moment the release becomes
+  # public, so there is no window where a partial or empty release is visible.
+  publish-release:
+    needs: upload-assets
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+    - name: Publish release
+      uses: softprops/action-gh-release@v3
+      with:
+        draft: false
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}